The most forward‐thinking companies have recognized the challenge of trying to add CyberSec into IT via a piecemeal fashion and are starting to act aggressively to put security at the very heart of their technology environments. Specifically, they are accelerating their adoption of private clouds, using public cloud services selectively, building security into applications from day one, virtualizing end‐user devices, implementing software‐defined networking, and reducing the use of e‐mail as a substitute for document management.
Naturally, many of these improvements depend on the success of major initiatives led from outside the security team and implemented for a combination of reasons, including efficiency and flexibility even more than for their security benefits
- Accelerate Migration to the Private Cloud
Motivated by lower costs and vastly improved flexibility, most large companies are putting in place standardized, shared, virtualized, and highly automated environments to host their business applications. These are— with all their various permutations—known in practice as the “private cloud.”As early as 2011, nearly 85 percent of large companies we interviewed said that cloud computing was one of their top innovation priorities, and 70 percent said that they were either planning or had launched a private cloud program. Those that are further along have often found that they could migrate 60 percent of their workload to these much more capable and cheaper private cloud environments.
- Use the Public Cloud Selectively and Intentionally
A few years ago, account executives from a major public cloud provider called on the head of infrastructure at one of the world’s largest banks. They made a compelling presentation about how much they had invested in their cloud platform and the richness of its capabilities. As the pitch concluded, the head of infrastructure complimented the account team but had just one question: “I have data that can’t leave the United States. I have data that can’t enter the United States. I have data that can’t leave the European Union. I have data that can’t leave Taiwan. If I used your service, how would I know all those things would be true?”
One of the account team replied, “That doesn’t make any sense. Why would you want to run your business that way?
To which the head of infrastructure said, “You seem like nice boys. Why don’t you come back in a few years when you have this figured out.”
It is for just these reasons that large enterprises have been reluctant to turn to public cloud services (especially infrastructure). They remain unconvinced that providers have figured out how to provide enterprise‐ grade compliance, resiliency, and security. Our survey results back this up. On average, companies are delaying the use of cloud computing by almost 18 months because of security concerns. In many interviews, we heard chief information officers (CIOs) and CISOs express concerns that malware could move laterally from another company’s public cloud‐hosted virtual servers to their own because they would both be running on the same underlying infrastructure.
- Build Security into Applications
Application security mattered less when employees accessed corporate applications from desks inside the company’s buildings. Today, companies cannot control such a clear bricks‐and‐mortar perimeter, and highly functional applications are available to both customers and employees who expect to access such applications anytime, anywhere.
The result is that hackers can use application‐level attacks, gaining entry through the web browsers that provide a gateway into the application.
For example, hackers were able to lift customer data from one bank because developers exposed sensitive information via the browser bar in the company’s online banking applications.
- Move to Near Pervasive End‐User Virtualization
For all the creativity and resourcefulness of cyber‐attackers, one common situation remains the starting point for many attacks. The attacker sends an employee a phishing e‐mail and the employee clicks the link, which takes him to a website that installs malware on his device. The attacker is in.
Cybersecurity teams used to rely on antivirus software to protect desktops and laptops from malware, but two developments have reduced the effectiveness of that model. Advances in malware technology have meant more and more of it can slip past antivirus software, and as employees expect to work anywhere, companies have to manage new types of client devices with new types of security vulnerabilities, specifically mobiles and tablets. As a result, sophisticated institutions are finding they have to move to virtual end‐user environments, where both traditional and mobile end‐user devices simply display information and collect user input but store very little.
- Use Software‐Defined Networking to Compartmentalize the Network
In a world where nobody can eliminate breaches, it becomes especially important to contain the attacker’s ability to move from one infected node of a technology network to the next. This “lateral movement,” as it has become known, is getting harder to prevent as the corporate network environment has evolved, leaving IT organizations with a tough choice between preventing attackers from expanding their reach and introducing too much operational complexity.
- Use Dedicated Document Management and Workflow Tools Instead of E‐mail
Some CISOs say that they are quietly confident about how their company protects the structured data it stores in databases, but have sleepless nights about the extremely sensitive information that executives pass back and forth to each other via e‐mail attachments. Documents make up a growing share of their company’s data, and many of the controls they use to protect structured data just do not apply. A few companies have started to get control of this type of data by creating and mandating the use of sophisticated capabilities for managing sensitive documents. More need to catch up with them.