Welcome!

Cloud Expo Authors: Liz McMillan, Elizabeth White, Kevin Benedict, Cloud Ventures, Patrick Carey

Related Topics: Cloud Expo, Java, .NET, Linux, Virtualization, Security

Cloud Expo: Article

Analyzing the Top 10 Benefits of Unified Security

Providing collaborative intelligence from the cloud

Of all the strategies and tactics available to prevent breaches, deter data leakage and theft, control access and secure beyond the so-called network perimeter, the one that is emerging as an achievable and affordable best practice is that of unified security from the cloud.

But if you look across the web, you will no doubt come across various versions of what constitutes “unified,” what is “protected,” and, what is “security from the cloud?” Luckily this means that the concept of unified security from the cloud is becoming more and more of a best practice. In general, the practice of unified security is the centralization of all security functions under one umbrella across the enterprise. This means more than ensuring data encryption. It means more than access policies. It means more than intrusion detection, malware blocking, data review. It’s more than ensuring compliance to the various regulatory bodies that provide general guidelines. It is the sum of all these things… and more.

So what is unified security? In short, it is an enterprise-powered tactical strategy that not only centralizes various security toolsets, but creates the seamless means to create cooperative functionality between them all. And as a cloud-based security initiative, this creates several tangible benefits that will allow any-sized company to upgrade their protection, but expand their protection beyond the network-centric traditional models of perimeter security.

To properly expand visibility, unified security is typically comprised of several solutions including system log archiving (the collection and storage of all online activity), identity management (administration of users, passwords and applications), access management (enforcement of identity rules and channeled access to data) and SIEM (the  intelligence that correlates and contextualizes all activity).

True unified security is also more than the solutions it comprises; it includes the analysis, management, and the implementation of access and intelligence policies that transform it from passive to proactive and immediately responsive. And by developing and managing these security features, solutions and policies from the cloud is more than the obvious cost savings, it allows for the exponential expansion of  real time visibility over a broader landscape and facilitates a more secure transaction compatibility with the way modern enterprises exchange, process and share  information.

To that end, the following are 10 benefits of implementing unified security from the cloud.

10. Right size as the situation dictates – In today’s business landscape, change is often fast and evolutionary. Being able to keep up is a major challenge for IT and IT security. One of the hallmarks of a cloud-based implementation is the flexibility and agility to adjust its scope quickly and without the oppressive costs and time of a consultant or IT service. Considering the hoops of fire and Herculean strength needed to expand coverage to a new department or division, on-premise security initiatives may require the purchase of new expensive servers, resource-heavy reconfiguration and re-prioritization of core competency projects.   With the cloud’s natural economies of scale, these costs are already absorbed and changes are more fluid and immediate. And with unified security, it’s more than just applying a sensor or agent on a server to collect new data. The changes to right size affect more than a single solution, —you must consider the constant fluctuation of change within an enterprise-the ebb and flow of staffing, the adjustment of new, updated and retired applications, and all the moving parts that come with incorporating vendors, suppliers and customers into the permission and protection mix. Unified security from the cloud creates the freedom and necessary speed to evolve with a company’s changing situation on an as-needed basis without an Act of Congress while still ensuring the adjustments across all the entire security landscape.

9. Make compliance easier: One of the substantial drains of time and energy go into the process of proving to various regulatory bodies that various slices of data are free from prying keyboards. Some companies go so far as dedicating personnel to simply comb through logs and find and report upon instances of breach and questionable activities. As I’ve insisted many times before, this practice is akin to looking for the horse in a gigantic haystack long after its left the barn (no matter how often sys-logs are reviewed, it is done in a rear-view mirror. These are events that have already occurred. And the damage is already done).

When evaluating what organizations like PCI and HIPAA require, the scope is more than just continuous monitoring (see blog regarding continuous monitoring satisfies compliance, but not security). They require proof of compliance for everything from firewall configuration to vulnerability scans, from data storage protocols to the development of identity authentication, password management and access privileges. I've identified about 20 common critical controls that are typically required by all compliance agencies. Unified security consolidates all the capabilities so that the reporting is considerably more streamline and accessible. Instead of four or five solutions each requiring four or five reports, logins and the physical coordination, collection and review for reporting, compliance is achieved by an automated model (see the white paper Mapping Compliance Requirements). It is the multiple collaborative and concurrent layers of security that support the automations, create better accuracy and significantly reduce the time previously dedicated to compliance reporting.

8. Easier, faster to deploy and find ROI. Forrester noted that 73% of major software implementations don’t get past phase 1. Whether a result of scope creep, budget issues or flagging executive buy-in, the promise of ROI for on premise security initiatives are difficult; not to mention the drag on IT productivity and lack of measurable results. And it’s those results we depend on to drive ROI and solve the business need (see the article: Is your security initiative “one inch into a mile”? ) It’s no secret that way too many companies view security solutions as a “nice to have” luxury or a grudgingly purchased cost center. But this is a different business environment than even that of 5 years ago; beyond the drivers of compliance and industry required governance IT security must be built into the fabric of every online facet of the business. Ignore reality at your own peril.

Assuming that security investments are not simply a luxury, the question remains how do you find ROI in a prevention initiative? On-premise point solutions are expensive. There’s no getting around that fact. Installing them is expensive. Configuring them is expensive. Maintaining them is expensive. In fact, Gartner estimates the annual cost to own and manage traditional on-premise security software applications can be 4X the initial purchase. Each and every move is a significant bite out of the any potential ROI gain in productivity. It might be more than 3 years before the investment starts paying off in any tangible way. Now the cloud, especially the unified security configuration, removes all of the waiting time. As a multi-tenant deployment, there is no hardware to buy, no software to install. Your complex, planned multi-phased, multi-year rollout can be fused a single week (sometimes “installation-to-insight” in minutes). Therefore the cloud version is providing the immediate benefits and immediate returns. Moreover, unified cloud security removes the complexity in configuration, installation and deployment because it is already built and easily customized to fit any sized organization.

We’ll deal with cost later on, but in terms of ROI, because there are no capital expenditures and the ability to keep investment minimized and output maximized means you can realign resources based on immediate business needs. The ROI is the elimination of negative impact—no compliance fines, no trust-busting breaches while waiting for the system to be fully functional, reduced risks and liabilities may decrease various insurance costs, no employees slipping away unnoticed with a database of your customers, no having to put out malware fires, no excessive time management conflicts from multi-sourced coordination, no de-centralized shadow IT, etc..

7. Better safeguard against BYOD: It may be the buzzword of the moment, but it is a trend that will continue to proliferate. Employees are increasingly using their own potentially-unsanctioned devices (smart phones, tablets and other mobile devices) to access your network, applications and data. (Read the blog “The Genie, the bottle and BYOD).  Users love the mobility and the immediacy of these devices, but forget these devices are just hand-held computers prone to the same intrusions, attacks, viruses and risks as the computers used in the office. The larger problem is many users don’t see that, so every time they sign on to your network or download an app, it creates a wider and wider vulnerability gap for the enterprise network. However, by implementing unified security (that includes access control and identity management), you can minimize what an employee (or supplier, partner or any other group) can see and what tools they can access. Additionally unified security policies can create an alert every time one of these unsanctioned devices tries to access the enterprise. Based on your protocols and administrative policies, the system can grant access or block for these mobile devices. It is one way in which identity management, access management; log management and SIEM work seamlessly together and prevent unwarranted access or careless usage issues.

6. Security-as-a-service offers continuous tribal knowledge (expertise) without adding headcount. One of the constant impediments to shrinking the vulnerability gap is recruiting and retaining the specific type of talent necessary to maintain an enterprise-level security initiative. But The MSPAlliance reports that the unemployment rate for such professionals is less than 1%--and the salary for these specialists has doubled in the past three years. Security-as-a-service is the “secret” value-add that accompanies a cloud-based deployment.  Having an expert that understands more than what a denial of service/brute force attack looks like can be invaluable; one that knows how to read in between the lines; that understands context and can trigger an alert or dismiss a possible threat as harmless—and to do it without any additional personnel costs to a company is a huge benefit.

We will be continuing this list next week with our entries of 5 through our number one benefit. However, in case you can’t wait, here’s a preview...

5. Control applications and who gets to use them

4. Know what’s happening faster, more completely

3. Real time actionable information

2. One single, centralized management component

1. More protection, less cost

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

Cloud Expo Breaking News
Cloud Computing is evolving into a Big Three of Amazon Web Services, Google Cloud, and Microsoft Azure. Cloud 360: Multi-Cloud Bootcamp, being held Nov 4–5, 2014, in conjunction with 15th Cloud Expo in Santa Clara, CA, delivers a real-world demonstration of how to deploy and configure a scalable and available web application on all three platforms. The Cloud 360 Bootcamp, led by Janakiram MSV, an analyst with Gigaom Research, is the first bootcamp that introduces the core concepts of Infrastructure as a Service (IaaS) based on the workings of the Big Three platforms – Amazon EC2, Google Compute Engine, and Azure VMs. Bootcamp attendees will get to see the big picture and also receive the knowledge needed to make the best cloud decisions for their business applications and entire enterprise IT organization.
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
The Internet of Things is a natural complement to the cloud and related technologies such as Big Data, analytics, and mobility. In his session at Internet of @ThingsExpo, Joe Weinman will lay out four generic strategies – digital disciplines – to exploit emerging digital technologies for strategic advantage. Joe Weinman has held executive leadership positions at Bell Labs, AT&T, Hewlett-Packard, and Telx, in areas such as corporate strategy, business development, product management, operations, and R&D.
SYS-CON Events announced today that DevOps.com has been named “Media Sponsor” of SYS-CON's “DevOps Summit at Cloud Expo,” which will take place on June 10–12, 2014, at the Javits Center in New York City, New York. DevOps.com is where the world meets DevOps. It is the largest collection of original content relating to DevOps on the web today Featuring up-to-the-minute news, feature stories, blogs, bylined articles and more, DevOps.com is where the thought leaders of the DevOps movement make their ideas known.
There are 182 billion emails sent every day, generating a lot of data about how recipients and ISPs respond. Many marketers take a more-is-better approach to stats, preferring to have the ability to slice and dice their email lists based numerous arbitrary stats. However, fundamentally what really matters is whether or not sending an email to a particular recipient will generate value. Data Scientists can design high-level insights such as engagement prediction models and content clusters that allow marketers to cut through the noise and design their campaigns around strong, predictive signals, rather than arbitrary statistics. SendGrid sends up to half a billion emails a day for customers such as Pinterest and GitHub. All this email adds up to more text than produced in the entire twitterverse. We track events like clicks, opens and deliveries to help improve deliverability for our customers – adding up to over 50 billion useful events every month. While SendGrid data covers only abo...
SYS-CON Events announced today that the Web Host Industry Review has been named “Media Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Since 2000, The Web Host Industry Review has made a name for itself as the foremost authority of the Web hosting industry providing reliable, insightful and comprehensive news, reviews and resources to the hosting community. TheWHIR Blogs provides a community of expert industry perspectives. The Web Host Industry Review Magazine also offers a business-minded, issue-driven perspective of interest to executives and decision-makers. WHIR TV offers on demand web hosting video interviews and web hosting video features of the key persons and events of the web hosting industry. WHIR Events brings together like-minded hosting industry professionals and decision-makers in local communities. TheWHIR is an iNET Interactive property.
SYS-CON Events announced today that O'Reilly Media has been named “Media Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.
SYS-CON Events announced today that Verizon has been named “Gold Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Verizon Enterprise Solutions creates global connections that generate growth, drive business innovation and move society forward. With industry-specific solutions and a full range of global wholesale offerings provided over the company's secure mobility, cloud, strategic networking and advanced communications platforms, Verizon Enterprise Solutions helps open new opportunities around the world for innovation, investment and business transformation. Visit verizonenterprise.com to learn more.
SYS-CON Events announced today that TMCnet has been named “Media Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Technology Marketing Corporation (TMC) is the world's leading business to business and integrated marketing media company, servicing niche markets within the communications and technology industries.
"In my session I spoke about enterprise cloud analytics and how we can leverage analytics as a service," explained Ajay Budhraja, CTO at the Department of Justice, in this SYS-CON.tv interview at the 14th International Cloud Expo®, held June 10-12, 2014, at the Javits Center in New York City. Cloud Expo® 2014 Silicon Valley, November 4–6, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading Cloud industry players in the world.
“We are starting to see people move beyond the commodity cloud and enterprises need to start focusing on additional value added services in order to really drive their adoption," explained Jason Mondanaro, Director of Product Management at MetraTech, in this SYS-CON.tv interview at the 14th International Cloud Expo®, held June 10-12, 2014, at the Javits Center in New York City. Cloud Expo® 2014 Silicon Valley, November 4–6, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading Cloud industry players in the world.
"We are automated capacity control software, which basically looks at all the supply and demand and running a virtual cloud environment and does a deep analysis of that and says where should things go," explained Andrew Hillier, Co-founder & CTO of CiRBA, in this SYS-CON.tv interview at the 14th International Cloud Expo®, held June 10-12, 2014, at the Javits Center in New York City. Cloud Expo® 2014 Silicon Valley, November 4–6, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading Cloud industry players in the world.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity. In his session at Internet of @ThingsExpo, Mac Devine, Distinguished Engineer at IBM, will discuss bringing these three elements together via Systems of Discover.
The Internet of Things promises to transform businesses (and lives), but navigating the business and technical path to success can be difficult to understand. In his session at 15th Internet of @ThingsExpo, Chad Jones, Vice President, Product Strategy of LogMeIn's Xively IoT Platform, will show you how to approach creating broadly successful connected customer solutions using real world business transformation studies including New England BioLabs and more.
All too many discussions about DevOps conclude that the solution is an all-purpose player: developer and operations guru, complete with pager for round-the-clock duty. For most organizations that is not the way forward. In his session at DevOps Summit, Bernard Golden, Vice President of Strategy at ActiveState, will discuss how to achieve the agility and speed of end-to-end automation without requiring an organization stocked with Supermen and Superwomen.