Hybrid cloud: experiment but safely
8 June 2018 | 0
Enterprises face a raft of threats, attacks and threat actors with more than 60 security solutions.
These were some of the points being made by Paul Shanahan, Intelligent Cloud business group lead, Microsoft at the recent TechFire on security in the hybrid cloud environment. He said that identity-based attacks were up 300%, while 96% of malware detected was both polymorphic and automated.
In this environment, organisations are struggling to ensure that security policies and strategies are successfully extended to the cloud, while leveraging the capabilities of cloud service and platform providers.
Chris Davey, security practice lead at Accenture Ireland, outlined six key headings for organisations to ensure a comprehensive programme to embed security throughout the enterprise’s cloud lifecycle.
Under the headings of governance, data, users and identity, infrastructure, platforms and software, and integration, Davey detailed key actions to provide “due diligence to a cloud security strategy”.
Bill Malik, vice president of infrastructure strategies, Trend Micro, outlined how hybrid cloud’s flexibility can be harnessed to secure and implement Internet of Things (IoT) infrastructure.
He said that securing IoT 1.0 is now relatively well defined, but the emergence of new technologies and what is termed IoT 2.0, required additional measures. Key challenges for IoT 2.0 included operational constraints, such as real-time responsiveness, reliability, non-disruptive failure modes and safety; and DevSecOps integration with IoT methodologies to consider, and IT operation integration with industrial control operations.
Malik said reference architectures are now available that leverage the capabilities and security features of platforms, such as Microsoft Azure, that can cover the major pillars of network security, system security and malware prevention.
In the panel discussion, the issue of data classification was brought up, and specifically the necessity for each business unit to take ownership of its data. An attendee said that they had used the data classification element of the General Data Protection Regulation (GDPR) to encourage the business into taking ownership of the data. They said that by helping the business with data classification as part of compliance efforts, they were able to help the business take ownership of their data, and all that entails, from security to lifecycle management.
The attendee added that this had allowed them to introduce other elements of change, adding that once the business accepts that they own the data, it is much easier to get other initiatives through.
Shanahan commented that this reflected Microsoft’s own journey to compliance, and even going a little further to indicate what happens when things go wrong.
From the CEO, he said, it has come down that all senior business leaders are the owners of their data. IT put in the controls, the business drives the adoption but enforcement — as in for responsibility for the data — rests with HR.
“If you work outside of the policy, you are not marched into the IT director’s office, you are marched into the HR director’s office,” said Shanahan.
Setting those clear rolls and responsibilities is very important, he added. Compliance can be a very good method of driving ownership and making responsibilities clear.
Data breach management
On foot of these discussions, another question from the floor asked if it was now the case that the data breach management team now consists of a whole new cast of stakeholders.
The answer was an emphatic yes.
Shanahan again said that, from Microsoft’s experience, data protection as a unit sits within the legal department.
“For us, the whole GDPR thing sat under legal. It’s a compliance thing, so that sits with legal,” he said.
Generally, he said, the CSO can validate that you have the tools and validation methods in place to ensure that you don’t risk a breach, but that is just a function of a service for the business. But the awareness and training element, that sits with each business unit.
When it came to hybrid cloud and security, there were certain myths that must dispelled, said Stuart MacLellan, head Of IT Operational Service, South London and Maudsley NHS Foundation Trust, who gave the end user view.
McLellan said that there was a need for clear communication to ensure that IT staff knew their jobs were safe, despite the move to cloud.
“Education was key for us,” said McLellan. “The journey to the cloud was often about dispelling myths like moving to a cloud service will make IT people redundant. It’s not just the server people, but your network teams as well, and their roles which very much change. But often the skills are very adaptable to the new services and you need that depth of knowledge and experience. That will empower your teams and allow them to experiment and innovate as an organisation.”
Experiment to innovate
The panel were unanimous in encouraging organisations to engage with hybrid cloud, to experiment and learn.
Shanahan said that sometimes organisations can be paralysed by fear.
He urged organisations to experiment, but to do it in a controlled way. Test everything in IT first, he advised, and learn all possible bad behaviours, as well as the adoption challenges so you are ready to field anything on a roll out. Grow by learning.
Accenture’s Davey was unequivocal on the point: “If you can’t experiment, you can’t innovate.”
Make sure that you have the policies in place to be flexible enough to experiment, he said, but the with the rigour to ensure that if it is successfully and you have to scale it, it can be implemented.