Changes in how corporate and government IT services are delivered are sounding the death knell of the perimeter, the border between corporate and other systems such as SaaS, other cloud and managed services, mobile devices and the internet.
Quite simply, the perimeter is either disappearing or becoming much harder to define - and that is posing enterprise security challenges. Security is being rearchitected in response and that is a challenge not just for enterprises but for service providers, partners and resellers.
Reseller News and its sponsors, Symantec and Westcon-Comstor, assembled an elite group of providers and partners to discuss those challenges and how the channel is responding to them.
So what is this new environment and what are the challenges it presents? At the centre of it all lies the indefinable cloud, but what was once seen as part of the security solution is also turning up new problems.
Datacom associate director of sales and business development Mark Ellis said there is a general acceptance that moving to the cloud doesn’t solve security problems, instead it injects new problems that didn’t exist before.
“There was a period where customers were pushed to the cloud and made that sort of naïve assumption that all of their problems went once they abstracted into Azure cloud, for example,” Ellis said.
“I don’t believe that that is the way that our customers understand the cloud environment today.”
The first wave of excitement was all about what the cloud could give, said Dean Graham, A/NZ enterprise manager for Insight Enterprises. They were asking what the cloud could give to applications and to the business.
“I’m going to be able to drive cost out. I’m going to be able to catch the market. I’m going to be able to do exciting things for my people - and by the way is somebody keeping an eye on the back door here, are we okay?”
In the rush, there’s been stumbling and pain and people are remembering security was important and maybe it still is important – and the application security piece is a core part of that.
Ellis said in the last year in New Zealand he had seen a radical change focusing on multi-cloud security, but that has also led to imprecision in the language used to talk about the issues.
“I think you’ve got to recognise that security and cyber security and information security, network security are all radically different things and the only thing they have in common is protection, but they are very, very loosely coupled,” he said.
Customers are spending more time securing applications today where in the past they only secured networks with the focus often on end-point security or maybe firewalls.
“Customers now are only interested in securing applications as a general rule,” Ellis said. “So, securing the application is the key, not securing the data centre assets that are sort of obfuscated behind the network.”
There is an aspect of “shutting the barn door after the horse has fled”, said Sam Taylor, Symantec’s New Zealand country manager.
Customers want to know where their data is now sitting and what is actually going on, effectively asking for a “shadow audit” to help define the scope of their security problem.
Enterprise customers are trying to liberate users from the network so technologies and approaches such as VPNs or locking applications and data behind very big firewalls are becoming legacy.
“They want to open up their data centre and let people in, but also ensure that can be done without putting applications at risk and allowing an attacker in so they can go east to west very quickly through the network ,” Taylor said.
And that brings the discussion back to the perimeter.
Westcon-Comstor sales and marketing manager Simon Goode said securing applications is right, but there’s still a lot of phishing, ransomware and a lot of other ways that people are still attacking businesses.
One of the world’s largest aluminium smelters, for instance, was brought to a grinding halt last month by a severe ransomware attack.
“That’s not about securing the application that is about securing the perimeter, so I think there’s a bit of that as well,” he said. “You’ve got to look at both.”
Experts at the roundtable agreed, service providers need to go back to the start to unpackage customer expectations and define “cloud”.
Customers can think because a provider manages their firewall, they also manage their security and have an expectation, privacy, GDPR and data localisation are also in hand.
Exacerbating the issue is the fact many boards don’t truly understand the issues and organisations have less institutional knowledge about it.
Plan B CEO Frazer Scott said the kernel of storage or compute managed by Microsoft or AWS or whoever is incredibly secure, but there are a lot of other perimeters and complexity around that. Every customer Plan B talks to has security front-of-mind.
“Sometimes it’s the IT manager saying ‘can you help me convince further down the line that we’ve got a problem we need to address?’”
Some, like SMB specialist Acquire, are building security practices because customers are demanding it.
“Cloud is the best option for them,” director Kelly Raines said. “They’ve got a lot more mobile workforces out there, a lot more choose your own device and bring your own device, and obviously cloud is the most effective way of solving those problems.”
Symantec senior channel director for A/NZ, Klasie Holtzhausen, reckons part of the issue is customers don’t know what they don’t know.
When they move to the cloud, many make the assumption that because systems are running on one of the very well-known infrastructures it must be secure.
“The second challenge with that is they don’t have the resources and the skills to address a challenge that is getting bigger and moving faster than anybody can think about.”
Another issue is organisations are losing track of and control over their information.
“Do they understand what they have? Do they know what the right applications and information are to move to the cloud? And once it’s there how do they monitor it? How do they manage it to make sure it doesn’t fall in the wrong hands?”
Those questions also speak to shadow IT, where cloud systems are implemented outside proper management and control structures.
It’s not just about the firewall anymore. With the shifting perimeter and users demanding access from anywhere from any device organisations need a more complete end-to-end view of their security posture.
For many organisations, it is the adoption of Microsoft’s Office 365 that became a catalyst for some serious questioning, analysis and action. And New Zealand organisations have been a very early and enthusiastic adopters of the cloud-based office productivity suite.
Datacom’s Ellis said the adoption of Office 365 across all of Datacom’s enterprise clients, is a given.
“They’ve either done it or they are trying to figure out how to do it,” he said. “I don’t think we have many customers that are holding out not to do it.”
As soon as they move everything changes for them.
“There’s absolutely no doubt that understanding how to secure that information once they’ve given it out from the tight perimeter they used to own and control was top of mind for most of them.”
That said, the cloud is definitely more secure than running large legacy environments with 20-year-old firewalls and 50-year-old firmware running on old mainframes.
“The challenge is you do have to take responsibility for it for yourself,” Ellis said.
David Small, of Softsource, said the ongoing issue with Office 365 and other platforms is that security is a conversation that constantly happens after the fact.
“It needs to be up-front and in the base conversation about going to these cloud platforms,” he said.
Read more on the next page...