Moore’s Law has been with us for more than 50 years now and proves as true today as it did in 1965: The density of an integrated circuit will double every two years. With more powerful chips, technological capabilities grow geometrically. Systems become lighter, faster, more compact and more powerful. This ongoing change forces enterprise architectures to continually evolve, and security strategies need to keep pace.
At the same time, corporate spending patterns for security haven’t changed much over the years. According to a recent report from the SANS Institute, the majority of spending is on system protection and breach prevention (72.4 percent), followed by detection and response (62.8 percent), compliance and auditing (58.6 percent), risk reduction (49.7 percent), training (45.5 percent) and other operational areas. What has changed is the nature of the threats. Hackers and cybercriminals have become smarter and more aggressive, and the enterprise architecture has changed with the cloud, which calls for new security tactics.
For example, consider the proliferation of “mega breaches” in which retailers, medical operations and government agencies are targeted and tens of thousands of consumer records are compromised. The Ponemon Institute dubbed 2014 “A Year of the Mega Breaches,” with Target and other big companies seeing huge data breaches. However, the responses to these mega breaches is the same as it always has been: Add more security to attempt to block infiltrators. With the increasingly open nature of enterprise networks, more effort (and money) should be spent identifying breachable data instead.
Gone are the days when you can build a security moat around your enterprise. Today, you have to protect the data itself, because IT can’t always control data access from the cloud or handheld devices.
The Cloud Has Changed the Rules
Cloud computing has changed the nature of security. Cloud applications and remote endpoints are pushing security beyond the control of the IT department. Mobile technology is becoming increasingly prevalent for business applications, and mobile data is being transferred via the cloud. As a result, enterprise architects are starting to adopt a “cloud security-first” approach to network security with tactics such as:
- Be prepared for recovery at any moment. Track the apps in use and know their risk profiles.
- Use data protection, including encryption, data masking, tokenization and other techniques.
- Maintain visibility throughout the enterprise, including event management and knowing who is using which cloud applications.
- Improve threat intelligence, including knowing what software is up to date and where the vulnerabilities lie.
- Control access to cloud applications and assets.
- Train everybody, including the IT team and users.
IT departments are continually strapped for resources and staff, but that doesn’t mean they can afford to turn their cloud security over to cloud service providers. Cloud services can be just as susceptible to cyberattack. Maintaining visibility, keeping close track of vital data assets and performing regular audits can help maintain control of cloud security.
Secure the Data
Wireless data access also has opened up a new set of security challenges. As data migrates to the cloud, it’s easier for mobile users to access that data using handheld devices such as smartphones and tablets. This provides another layer of security complication, because handheld devices are seldom under the control of IT, especially with trends like “bring your own device.”
Organizations have two options to secure mobile data: Lock down the devices or lock down the data.
Locking down devices can be extremely challenging, especially if the company doesn’t own them. Requiring employees to add protective software and maintain security protocols for mobile data access helps, but ultimately IT has no control over how mobile devices are used. Anyone can download malicious applications or use their devices in unsecure environments that expose data. The best recourse is to use mobile device management to track and control mobile device access.
As computing technology continues to evolve, it makes more sense to focus on securing the data as well as the infrastructure. The networking systems will continue to change and evolve to accommodate faster processing speeds and more information storage, which means security strategies will need to evolve as well. However, the security threat is to the data itself. Securing data using stronger authentication and encryption will provide stronger security with less concern about protecting the infrastructure.
Solution Providers Help Keep Pace with Change
Because the only constant is change, the only way to maintain effective security is to be prepared to change with the latest technology. This is where solution providers can offer assistance.
Continue to educate customers about the latest security trends. Help them develop adaptable security strategies that are easier to upgrade as new security threats and best practices emerge.
Solution providers need to stay current with the latest security trends themselves by talking to vendors and suppliers. Stay current on the latest technologies and security solutions, and when a new security platform starts to take hold in the market, be prepared to advise customers on how and when to upgrade their own security strategies. The challenge is knowing when it’s time to consider adopting next-generation security solutions rather than chasing the latest fad.
Most of all, solution providers need to talk to their customers. Understand their security concerns and their comfort levels with risk. Organizations in financial services and healthcare, for example, are fanatical about data security, because a data breach would be disastrous, both in terms of cost and regulatory compliance. Other types of companies will be less concerned with bulletproofing data security, but they will likely have intellectual property that requires special attention.
No one security strategy meets everyone’s needs, but whatever security strategy an organization chooses to adopt, solution providers should be there with counsel and solutions to help the organization stay ahead of the latest threats.