Balancing Security and Risk in a Cloud- Connected Enterprise
By Anil Karmel, Founder and CEO, C2 Labs
Organizations are presented with a myriad of choices when determining how to procure, implement, migrate or scale applications to serve an increasingly mobile user base. Users are requesting the same level of agility, flexibility and transparency they get in their personal lives at work. With budgets headed south, how does IT find the right balance of security, functionality and risk when selecting, deploying and scaling services for its’ users?
Who do you trust?
Cloud offers an incredible promise yet there are very real security concerns for both the cloud consumer and the cloud provider. Given our increasingly mobile workforce, “Bring Your Own Device” (BYOD) with Mobile Device Management (MDM) approaches also amplify security and privacy concerns. Social users may end up inadvertently placing sensitive data on public social networks. When all this is fused with Big Data, an organization’s unstructured data can unveil actionable intelligence but what about the Mosaic effect where two pieces of previously non-relevant information when placed together give up corporate secrets.
When you wake up in the morning, what’s the first thing you reach for? Your glasses? Or is it more likely your smartphone? Why, because the best emails come in between midnight and six AM, right? As you scroll through your email, social media feeds and news reports, you feel completely connected and ready for your day and you haven’t even gotten out of bed yet! On your way to work, you stop off at a local coffee shop and grab a quick pick-me-up, taking the opportunity to check in using your favorite social media app. When you get to work, you saunter in with your coffee and smartphone, connect your phone and laptop to the company’s wireless network and begin your day. Twenty minutes later, a frantic IT worker runs into your office and says your network has been hacked. How did that happen? Remember when you opened your emails this morning? What looked like an innocuous social media connection request turned out to be a link to download malware to your smartphone. Remember checking in at the coffee shop? The malware knew your location. When you got to work and tethered to your corporate wireless network, the malware activated itself by knowing your location and used your phone as a “Command and Control” (C&C) vehicle to infiltrate your network. All you did was click on a connection request in the morning. How does an organization balance time-to-market, cost concerns, security, manageability and risk in the move to a cloud connected enterprise?
Traditional approaches to delivering IT focus on offering applications on premise within our own data centers. IT shops are bringing in cloud services to their enterprises at a rapid pace, including Infrastructure-as-a-Service (e.g. Amazon EC2), Software-as-a-Service (e.g. SalesForce.com) and Platform-as-a-Service offerings with connections back to their own data centers. To modernize our systems, we have to redefine the context upon which we think about delivering IT around four areas; Who is the user?, What data are they trying to access?, Where is the user and the data?, and How are they accessing the information? We can think about this approach as ‘Context Aware IT’, where the level of assurance of the data defines the required level of trust. For example, if you normally access your banking mobile application in the U.S., then find yourself in Europe the next day, do you think you should be able to access the app the same way? Due to your new, non-usual location, you should be prompted for another credential to verify your identity before getting access to your sensitive data. Similarly, let’s say you’re on your way to work with a slew of personal applications on your phone. When you arrive at work, your company’s Mobile Device Manager (MDM) can turn off access to portions of your phone’s functionality or content leveraging geo-fencing (location), protecting corporate assets from potential harm. By using a Context Aware IT approach, we can determine who and what we can trust.
“Balancing a user’s needs in an ever evolving IT landscape while discovering the optimal security and risk envelope for an application requires a new way of thinking”
New Approaches and Technologies
As applications are being deployed within an organization at an exponential pace, IT shops are struggling with how to manage this new application sprawl both on and off premise. Balancing security and risk in a cloud connected enterprise requires approaches and technologies that allows IT the agility, flexibility and transparency to manage a myriad of applications across environments. A new approach has emerged that picks up where server virtualization left off application containerization. By deploying applications into an application container, IT shops can quickly scale applications both on and off premise, breaking the traditional one-to-one tie from system to application and allowing multiple applications to reside on the same underlying operating system. An important additional value proposition is the ability to dynamically move applications across cloud service providers, eliminating vendor lock in. If a cloud service provider has been compromised, the application can be easily moved to another provider by simply moving the container, reducing an organization’s risk profile. Coupling Application Containerization with Virtualization and other technologies can increase an organizations’ security posture while delivering the power and value of the cloud to a consumer’s hands.
What does this all mean?
Balancing a user’s needs in an ever evolving IT landscape while discovering the optimal security and risk envelope for an application requires a new way of thinking. Coupling Context Aware IT with new technologies can enable IT to take better advantage of its on premise systems and embrace the power of the cloud. Security and Risk leveraging this approach can be quantified by understanding the level of trust based on the value of the information protected, ensuring that system security is context aware around the applications and associated data. Cloud is no longer somewhere we want to go, but somewhere we will go. How you get there is the question. Context Aware IT just might be the answer.