As the perimeter disappears, channel partners target security
- 10 May, 2019 16:00
L-R: Simon Goode (Westcon-Comstor); Dean Graham (Insight Enterprises); David Small (Softsource); Frazer Scott (Plan B); James Henderson (Reseller News); Kelly Raines (Acquire); Sam Taylor (Symantec); Rob O'Neill (Reseller News); Matthew Roberts (SAS IT); Mark Ellis (Datacom); Klasie Holtzhausen (Symantec)
Changes in how corporate and government IT services are delivered are sounding the death knell of the perimeter, the border between corporate and other systems such as SaaS, other cloud and managed services, mobile devices and the internet.
Quite simply, the perimeter is either disappearing or becoming much harder to define - and that is posing enterprise security challenges. Security is being rearchitected in response and that is a challenge not just for enterprises but for service providers, partners and resellers.
Reseller News and its sponsors, Symantec and Westcon-Comstor, assembled an elite group of providers and partners to discuss those challenges and how the channel is responding to them.
So what is this new environment and what are the challenges it presents? At the centre of it all lies the indefinable cloud, but what was once seen as part of the security solution is also turning up new problems.
Datacom associate director of sales and business development Mark Ellis said there is a general acceptance that moving to the cloud doesn’t solve security problems, instead it injects new problems that didn’t exist before.
“There was a period where customers were pushed to the cloud and made that sort of naïve assumption that all of their problems went once they abstracted into Azure cloud, for example,” Ellis said.
“I don’t believe that that is the way that our customers understand the cloud environment today.”
The first wave of excitement was all about what the cloud could give, said Dean Graham, A/NZ enterprise manager for Insight Enterprises. They were asking what the cloud could give to applications and to the business.
“I’m going to be able to drive cost out. I’m going to be able to catch the market. I’m going to be able to do exciting things for my people - and by the way is somebody keeping an eye on the back door here, are we okay?”
In the rush, there’s been stumbling and pain and people are remembering security was important and maybe it still is important – and the application security piece is a core part of that.
Ellis said in the last year in New Zealand he had seen a radical change focusing on multi-cloud security, but that has also led to imprecision in the language used to talk about the issues.
“I think you’ve got to recognise that security and cyber security and information security, network security are all radically different things and the only thing they have in common is protection, but they are very, very loosely coupled,” he said.
Customers are spending more time securing applications today where in the past they only secured networks with the focus often on end-point security or maybe firewalls.
“Customers now are only interested in securing applications as a general rule,” Ellis said. “So, securing the application is the key, not securing the data centre assets that are sort of obfuscated behind the network.”
There is an aspect of “shutting the barn door after the horse has fled”, said Sam Taylor, Symantec’s New Zealand country manager.
Customers want to know where their data is now sitting and what is actually going on, effectively asking for a “shadow audit” to help define the scope of their security problem.
Enterprise customers are trying to liberate users from the network so technologies and approaches such as VPNs or locking applications and data behind very big firewalls are becoming legacy.
“They want to open up their data centre and let people in, but also ensure that can be done without putting applications at risk and allowing an attacker in so they can go east to west very quickly through the network ,” Taylor said.
And that brings the discussion back to the perimeter.
Westcon-Comstor sales and marketing manager Simon Goode said securing applications is right, but there’s still a lot of phishing, ransomware and a lot of other ways that people are still attacking businesses.
One of the world’s largest aluminium smelters, for instance, was brought to a grinding halt last month by a severe ransomware attack.
“That’s not about securing the application that is about securing the perimeter, so I think there’s a bit of that as well,” he said. “You’ve got to look at both.”
Experts at the roundtable agreed, service providers need to go back to the start to unpackage customer expectations and define “cloud”.
Customers can think because a provider manages their firewall, they also manage their security and have an expectation, privacy, GDPR and data localisation are also in hand.
Exacerbating the issue is the fact many boards don’t truly understand the issues and organisations have less institutional knowledge about it.
Plan B CEO Frazer Scott said the kernel of storage or compute managed by Microsoft or AWS or whoever is incredibly secure, but there are a lot of other perimeters and complexity around that. Every customer Plan B talks to has security front-of-mind.
“Sometimes it’s the IT manager saying ‘can you help me convince further down the line that we’ve got a problem we need to address?’”
Some, like SMB specialist Acquire, are building security practices because customers are demanding it.
“Cloud is the best option for them,” director Kelly Raines said. “They’ve got a lot more mobile workforces out there, a lot more choose your own device and bring your own device, and obviously cloud is the most effective way of solving those problems.”
Symantec senior channel director for A/NZ, Klasie Holtzhausen, reckons part of the issue is customers don’t know what they don’t know.
When they move to the cloud, many make the assumption that because systems are running on one of the very well-known infrastructures it must be secure.
“The second challenge with that is they don’t have the resources and the skills to address a challenge that is getting bigger and moving faster than anybody can think about.”
Another issue is organisations are losing track of and control over their information.
“Do they understand what they have? Do they know what the right applications and information are to move to the cloud? And once it’s there how do they monitor it? How do they manage it to make sure it doesn’t fall in the wrong hands?”
Those questions also speak to shadow IT, where cloud systems are implemented outside proper management and control structures.
It’s not just about the firewall anymore. With the shifting perimeter and users demanding access from anywhere from any device organisations need a more complete end-to-end view of their security posture.
For many organisations, it is the adoption of Microsoft’s Office 365 that became a catalyst for some serious questioning, analysis and action. And New Zealand organisations have been a very early and enthusiastic adopters of the cloud-based office productivity suite.
Datacom’s Ellis said the adoption of Office 365 across all of Datacom’s enterprise clients, is a given.
“They’ve either done it or they are trying to figure out how to do it,” he said. “I don’t think we have many customers that are holding out not to do it.”
As soon as they move everything changes for them.
“There’s absolutely no doubt that understanding how to secure that information once they’ve given it out from the tight perimeter they used to own and control was top of mind for most of them.”
That said, the cloud is definitely more secure than running large legacy environments with 20-year-old firewalls and 50-year-old firmware running on old mainframes.
“The challenge is you do have to take responsibility for it for yourself,” Ellis said.
David Small, of Softsource, said the ongoing issue with Office 365 and other platforms is that security is a conversation that constantly happens after the fact.
“It needs to be up-front and in the base conversation about going to these cloud platforms,” he said.
Read more on the next page...
The issue then is that the customers don’t know what questions to ask.
“I had a conversation just the other day with a SaaS provider who was holding data of managed services providers and when I questioned security the comment back was ‘it’s in Azure, secure’.
“There was no thought around that data because it wasn’t their data, it was maybe my data or another MSP’s data, they didn’t see that.”
Symantec’s Taylor said security events still typically trigger changes and investment but that is changing, not least with larger organisations appointing chief information security officers (CISOs).
“We’re also seeing a lot of resellers do a CISO as-a-service to try and address the parts of the market who can’t afford or can’t access the talent of a dedicated CISO,” he said.
Partners are stepping in to fill that gap and provide advice from someone who actually understands security.
The adoption of Office 365 creates other issues, Taylor said. End users have to decide, for instance, whether to pay Microsoft for in-built Office 365 security tools. That can lead to fragmentation if the users are using multiple cloud services.
“All of a sudden you’ve got to manage that across multiple tool sets. You’ve got to duplicate the security controls, you’re trying look at events occurring across multiple places.”
Dean Graham, of enterprise manager A/NZ of Insight Enterprise, said for most the Office 365 journey still sits squarely inside the infrastructure teams of days go by. You would therefore expect the thought and understanding was there along with some concern around security and how to deliver that to the new platform.
On the application side, however, there is a level of panic bubbling up from all quarters.
Often the CIO finds out late in the piece that a part of the business has, for instance, discovered and implemented a way to automate a production line long before they’ve turned to the IT team.
“I think that’s when you get the two-step nature of the security thing happening in the back of the conversation. So, the normal governance, the normal stuff you could expect around any form of roll out is the struggle,” Graham said.
“And it’s critical because now you’re starting to tap into the absolute blood flow of an organisation, its profit centres and its capability and yet it hasn’t had the hands that have always historically been there: the IT managers, the CIOs, the people for whom this stuff that is a constant discipline, or at least it is as disciplined as they are.”
For SMBs the decision to go to the cloud is about costs, said SAS IT’s incoming CEO, Matt Roberts. It’s an opex, subscription-based service not a capital cost and that is what they need. It follows that security is not front of mind.
“I don’t think a lot of businesses have realised what their exposure is and what their risk is and how they can impact on their business, they just depend on a reactive capacity and deal with what they have to deal with.”
Plan B’s Scott recently left Microsoft where he found a lot of good things were happening in NZ mid-market companies because security and functionality were not mutually exclusive.
While there is network security, perimeter security and application security good user identification and authentication can “light that up” to deliver seamless functionality, productivity and security.
“The two don’t need to be mutually exclusive,” he said. “You can have a high degree of user autonomy within a secure world, but it has to be really thought through.”
Insight Enterprises’ Graham was among several roundtable participants who expressed disappointment New Zealand’s looming compulsory breach notification requirements have been softened. Compulsory notification could have been a catalyst for increased change and awareness.
“We love to promote and educate and feed with the carrot, but someone needs the stick,” he said. “There’s got to be something sitting in the back somewhere that is beyond public opinion and public exposure.”
SAS IT’s Roberts sits on a couple of boards with responsibility for protecting the brand from risk in event of an attack. But the bigger issue is the data.
“So, I’m on the board of the YMCA who have got children and family information now up in the cloud,” he said. “I can tell you that every one of our board members is asking the security question because if that’s breached they are personally liable.”
Symantec’s Holtzhausen said the market is looking at the channel for education and to take on their IT and their infrastructure - and that incorporates security.
A service provider specialising in infrastructure and applications now has to look after security as well, he said.
“If you don’t have that capability you have to partner with somebody and make it part of your ecosystem to deliver that service and that outcome for the customer,” he said.
“So, whether you’re a security specialist or not, as a partner I think you need to work out very quickly how you can address that component whether you can upskill and become the trusted advisor in that space or whether you perhaps partner with somebody else as a combined team.”
Taylor said he didn’t know of any partners who are not selling security but it’s very much “if it’s asked for”.
“The real challenge comes around the delivery of that side of things and how they actually roll it out in a way that helps the customer prevent the threats.
“We are seeing the emergence of a number of smaller pure-play security resellers in the last three to four years, spun out from people at various bigger resellers and starting their own firms.
“That only goes to show what the demand is.”
However, security resources are few and far between and it becomes very difficult to find that talent on your own, he added. A lot of resellers are either looking to partner or finding vendors who can assist. Vendors are also coming out with managed security services as well.
With so many vendors in the market, another opportunity beckons for resellers – guiding clients through that maze, said Holtzhausen.
“We’re integrating with many different partners, some of them are competitors, but that’s the way to go to provide that integrated solution to a customer that drives down complexity because this is a complex space that we’re playing in.
“You can imagine the complexity that exists and how confused customers must be when they look at the space.”
For distributor Westcon-Comstor, it’s all about enabling the channel, whether through sales training, technical training or helping with certifications, said Goode.
There are very capable resellers and others who haven’t been security resellers in the past and are looking to get into security. So, there is a big difference in partner cyber security maturity.
In addition to a range of more standard distribution capabilities around pricing, logistics and ordering, Westcon-Comstor also offers cyber strategy resources such as a “sandpit” capability.
“We’ve got some technology, all the technology, for example, for Symantec back in our labs that we have access to for the resellers to try trial proof of concepts.”
Symantec’s Taylor said the fact security is often an afterthought or an add-on after the fact creates an opportunity for the channel – to do it the other way round.
“Every time you buy a computer, write an application, buy a tool or what have you the security considerations need to be baked into the decision process, not something you can deal with at the end,” he said.
This exclusive Reseller News Roundtable was in association with Symantec and Westcon-Comstor. Photo by Maria Stefina.