The three pillars of security in an as-a-service world
This is a guest blog from Christian Reilly, VP and CTO at Citrix.
Today there are few – if any – companies that can survive without relying on a multitude of third-party applications and services.And this increasing reliance on technology that sits outside your physical infrastructure inevitably brings a number of new security implications with it.
As a business, then, how can you prepare for this ever-more cloud-driven world and ensure you’re as protected as possible?
In my mind there are three key pillars to keep in mind:
Let’s go into each of those in more detail…
There are two angles to consider when thinking of visibility: the known unknowns and the unknown unknowns.
The former is where you know about potential problems but perhaps you don’t have the necessary tools to gain visibility across all those applications.
Where you’re likely to have unknown unknowns, however, is in situations where you’ve failed to provide people with the tools they need to do their job effectively.
In that case, they’ll likely go away and use their credit card to buy a service that ultimately you won’t know anything about or even that it’s being used.
All of this can impact on the visibility you have over your business and the potential vulnerabilities. Avoiding that lack of visibility ultimately comes down to this: you need to be an enabler – putting the right processes, governance, controls and balances in place that will allow you to stop being the department of ‘no’ and become the department of ‘yes’.
Doing so will give you a much clearer view of your organisation in the long run.
With technology, it all comes down to balance.
There are plenty of tools you can throw at security, but you have to be very cautious not to hinder people’s productivity in the process.
If you deploy technologies that are secure but make for a poor user experience, people will find a way around them. That’s human nature. So you have to weigh up the technology element against what the end user wants and needs.
To help balance this, consider using technologies that can be ‘invisible’ to the end user but invaluable to the organisation.
One example would be analytics and machine learning – combining these can help track ‘normal’ end-user behaviour patterns, but more importantly, it can help spot anomalies and act upon them, automatically adapting the levels of permitted access to systems and data.
Another thing to bear in mind as we move further into this outsourced IT world is that everything – every user, every app, every connection – should be untrusted until you can prove it should be trusted.
That’s not to say you don’t trust the people. But you should never automatically trust the context in which they’re working or the devices they’re using.
Finally, you have to continually educate your workforce on the risks associated with cyber security.
The most effective way I’ve found of doing this is encouraging people to view corporate data and security on the same level as their personal data.
By that I mean: if some was looking through their emails at home and saw a suspicious link come through, they wouldn’t click on it – so why would they do that at work?
These are the kinds of messages you need to be getting across. It’s about capturing the hearts and minds of your employees and helping them see security in a different way.
Generally speaking, the worlds of work and home are becoming increasingly blurred. If people can be safe with their personal data they can be persuaded to do the same with the data and applications they use at work.
Remember, your security is only ever as good as your last line of defence. But in many cases, it’s your first line of defence: your people.
Make sure they’re prepared.
So those are my three pillars: visibility, technology and education.
Get each of those right and you’ll have a much better chance of securing your business now and in future.
That said, would you add anything else to this list?