CIOs and CISOs must shift their mindset from network-centric security to data-centric security in order to have visibility over their data, says Petko Stoyanov, Global Chief Technology Officer at Forcepoint. He examines why this is important and offers some best practice advice for simplifying security when it comes to the cloud.
The perimeter is not dead, it just moved. It relocated from the network where it used to be for decades, to where your data lives today. So, let’s ask this: is your house in order?
Many organisations don’t know where their data is, let alone how to protect it. If they can find it, they can control access and secure the data if it ever gets out. As the focus narrows to data, what we previously thought of as network-level security disappears. Security becomes all about access and control. As security and business executives seek greater control over their data in 2023 and years to come, we expect organisations to continue consolidating security capabilities and move towards unification and simplicity, driven by the evolution of multi-clouds.
As we consider how security will evolve, let’s first dust off the medieval analogy of castle and moat – particularly as we consider the future. Instead of building one big castle and moat (the traditional network perimeter), the data perimeter consists now of many little houses and gardens.
Each has a single door: the Zero Trust Network Access (ZTNA) door. To have visibility of their data and to keep it safe, CIOs and CISOs must shift their mindset from network-centric security to data-centric security.
People didn’t purchase security like network firewalls because they needed firewalls. Rather, they needed to protect something of value: their data. However, you can’t defend moving targets, your remote workers and data, with traditional point products. The cost and resources required is bad maths. You can’t keep a complicated treasure map of where everything is stored. The number of potential houses and open doors to data will be a major factor in spurring the movement to consolidation.
The other is the reality that as the importance of data grows, the usage of multiple clouds increases exponentially. Cloud transformation no longer means putting all your data in one public cloud provider. It’s naïve to think that a cloud is simply IaaS – like Azure or AWS. IaaS is only one use case for cloud. Multi-cloud goes beyond IaaS to encompass SaaS, in the prevalence of cloud-based apps like Workday and Slack; PaaS, or platforms used to build custom apps; and CaaS for containers. It’s any cloud service that can deliver data to our employees, contractors and partners. No company is a single cloud user, everyone is multi-cloud, and this is a future we need to embrace.
Within this definition of multi-cloud, we must also include on-premises private clouds. The best kept secret of multi-cloud is that it is hybrid – and everyone will continue to be hybrid for years to come. Think of applications you maintain in the data centre due to regulatory compliance or economic reasons.
A big concern with clouds is data residency and regulation. Privacy laws govern the physical locations for users and physical storage for data. Your data or users may be in the US, for example, but your global headquarters is in Germany. Regulated industries like finance and healthcare will continue to deploy applications on-premises until emerging technologies like Confidential Computing become more mainstream. (Confidential Computing secures your data in the cloud by keeping it encrypted while it’s being processed).
Even if they’re not highly regulated, some businesses may find it makes more fiscal sense to retain corporate infrastructure. They may have a small number of private applications with a long history of data, say seven or 10 years’ worth. It can be more cost-effective to secure records through an appliance housed in the data centre instead of in the cloud. Security organisations, therefore, need hybrid deployment, as on-prem is just an extension of what they have in the cloud. Teams will seek ways to manage access and control to those appliances or to the data through the cloud.
Greater unification of those access controls will be vital to organisations amid their transformation journeys. Unifying security management starts with unifying identity access and having an analytics platform that centralises security logs. This includes identity-based segmentation, by identity and user role, which provides much-needed visibility and granular policies on user access to sensitive data. All this intelligence flows into defining and managing one set of security policies from one console and through one endpoint agent. The unified management should apply to all business data accessed through any website, cloud app and private (corporate) app. It should control how employees, contractors and partners use managed and unmanaged devices so that no one can bypass security enforcement, even if they’re using BYOD.
Moving towards security simplicity and consolidation will be table stakes to becoming a digital-native enterprise. How you use or create data will dictate a future for security where less becomes more. Unification and simplicity is the new calculus for security. And the easy path to convergence will be what enterprises and governments will ask for from their security partners.Click below to share this article