Security 2016 - Time to act as the stage is set - but tackle the "elephants" first (part 2)

I started 2016 in bullish form with predictions for security based on the lows and highs of 2015. I touched on two on the many market catalysts set to transform both today and tomorrow’s worlds, enterprise mobility and the Internet of Things but highlighted I would mention three more. Part two of my security outline kicks off with my final three security focus areas for the first half of 2016, journey to the “cloud”, security for the SDDC and the need for intelligent people to “act smart”.

The enterprise journey to the cloud continues to be hindered by concerns robust enough to offset the unquestionable benefits. If enterprises are already challenged to secure local environments that benefit from additional levels of physical control and proximity, why would the need to secure information flowing through an external often multi tenanted service provider not highlight similar (and different) challenges. Pre 2016, it was straightforward for enterprises to deliver a blanket response “we don’t use the cloud” often citing security concerns and with no need for further explanation, but with shadow IT research validating authorised and unauthorised cloud usage exists whatever the policy, neither authority or ignorance seems to matter.

It’s therefore time to go “back to basics” and remove years of accumulated assumption of business functions and application flows and replace it with rigorous understanding. With a revisited / restated view of people, process, application flows controls and compliance expectations, “what” can be delivered via the cloud becomes clearer (“how is a whole different ball game”). Whether via internal or external assessment or audits, enterprises must obtain a robust and realistic “current state” view to calibrate the cloud trajectory and thus maximise the business benefits of cloud service delivery. This common sense view is my consistent response to mute the many often unfounded concerns of cloud service delivery or published negative cloud consequences. And I frequently pose the question “Can you really tell me now restated for now, the who, what, how of your business IT operations & applications calibrated by relevant controls”? If the answer is no, effective security for the cloud journey may have no effect at all. Time for change to make cloud service delivery a consistent, secure reality.

Following on from the cloud is the software defined datacenter (SDDC) snowball that continues to gather pace. SDDC ideals are no longer if or when for enterprise organisations with substantial workloads or IT services already delivered primarily via software elements. It’s the dynamic, frictionless, highly agile operational persona offered by a predominantly automated software driven environment that holds so much promise. But common to every “must have”, “must do”, “next big thing”, IT trend is the “what about security” question?

First off, will be a straightforward perspective – “avoid the security retrofit”, time for a security reset. Security must be the core deliverable of the SDDC outcome therefore can never be deemed an add-on or optional extra. When application dependencies and process workflows are in early draft mode (potentially in the earlier stages of the development cycle) the security expectations must be identified, qualified and externalised. Deferring security to later phases or accommodated via an assumption of inherent safety delivered by default is fundamentally flawed as applications and workloads become increasingly fluid in location and state.

A silver bullet of the SDDC ideology is the potential and proven reality of security moving always from a perimeter based ideal to an intelligent functional state as close to the workload as possible (in fact the workload is no longer a workload to be secured, but instead a “secure workload”).  This new attitude to application and workload delivery must drive a “blank sheet of paper” review of security to ensure one of the most compelling benefits of the SDDC journey can be fully realised. An enterprise journey to the cloud presents the long overdue opportunity (and investment) to “get security right” – use it, don’t lose it.   

And lastly its “people time”. The rise and rise and continued rise of the digital enterprise will fundamentally shift the way business services are operated, consumed and ultimately secured. We are venturing into the unknown and therefore wrestling to find answers to an endless stream of security questions. But is this state really unknown, I suggest not. The "enterprise" digital enterprise may be no more than the digital DNA already the vital fluid of the modern social network driven arena spilling over to and thus redefining the enterprise. Create and destroy data information instantaneously, join and graft multiple and previously unconnected data sources together to create new insight / new opportunities, always on, always now - isn't this the digitisation defined “social world” already our norm.

And possibly with that Eureka moment appears an equivalent reality check, we still haven't solved the security problem (s) in the digital social network world, in fact we at times we are not even close. And the main reason - "people". As technology improves (both systems and security) people reduce their level of vigilance & diligence and increase their expectation that the "system will deliver protection". Nothing could be further from the truth. I fear we may arrive at a state where there is little more that can be done from a security systems based neural or autonomic perspective. In other words, we have put as much logic and decision making in the system to determine and remediate as much as it can from a security perceptive in an acceptable timeframe. And then what or who is left in the chain as the primary attack vector, the same primary attack vector that has always existed - “people".

Which drives me to highlight that 2016 may be the year enterprises revisit and reinforce the level of individual accountability that all system users are vigilant, diligent and aware of the security implications of their actions. Or sadly those same users may be affected by the double edged sword of compliance and personal liability. This is a step change forward from the never read acceptable use and security policies. Tough talking and a disappointing road to traverse, but the enterprise may no longer have a choice – systems cannot secure the organisation alone. With flexible working, dynamic workplaces, fluid workloads set to be a normal business state, every corporate endpoint whether human or system has the same responsibility to evaluate and maintain a company desired security state.

And this closes the security predictions overview for the first part of 2016. Whether it’s the increasingly mobile user or interaction with intelligent devices or “things” or dynamic services delivered by highly innovative new market entrants, optimum security will ensure the unquestioned benefits of this increasingly "digital" world arrive with minimal sting in the tail. I am not inferring optimum security has never been important before or isn’t delivered today by highly effective practitioners, it is and that fact it is, minimizes the negative consequences only a mouse click away. But everything we have delivered before is now under attack in a manner beyond our traditional level of understanding with the result it’s time to “deliver now” but with tomorrow’s expectations in mind. Time to change (ps, I am not advocating “patch management” for people – or am I?).

Until next time

Colin W

Twitter: @colinwccuk

Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration.