|Issue:||Europe I 2016|
|Topic:||'Everywhere Enterprise’ heightens the need for cloud security|
|Title:||Director EMEA Channels|
Charles Milton, Director, EMEA Channels, Zscaler
Charles Milton has been EMEA Service Provider Director for Zscaler Inc. since 2010 and has been instrumental in Zscaler’s rapid growth from market entrant to leading Cloud Security service. Charles manages the strategic Service Provider relationships that form the primary channel for Zscaler’s services. Charles has worked in Information Security for 14 years and previously managed the EMEA service provider team for Blue Coat Systems for 6 years.
As the new age of IT introduces a change in workplace dynamics, Charles Milton, Director EMEA channels at Zscaler, looks at the race against time for Chief Information Security Officers (CISO) to secure a borderless enterprise network.
'Everywhere Enterprise’ heightens the need for cloud security
by Charles Milton, Director, EMEA Channels, Zscaler
Following a whirlwind of employees adopting cloud-based applications and social media platforms in the workplace, it has brought mobility to the top of the agenda for IT. The accessibility of networks means business now happens any time at any given place, establishing an era of the 'Everywhere Enterprise’.
It is evident that there is no longer a set perimeter as mobile devices can connect to 4G networks (soon to be 5G) rolled out in every major city with ease. To put this into perspective, we can even check our emails at 200 feet below the ground surface on London Underground platforms with public Wi-Fi networks.
While this workplace shift creates the benefits of increased agility and productivity it is creating a number of security concerns and threats if not managed properly.
According to the Ponemon Insitute’s “2015 Cost of Cyber Crime Study: UK”, the number of cyber attacks in the UK continues to grow in frequency and severity. The average cost of cyber crime is now £4.1 million per year. That’s a 14 percent increase in the average cost from 2014. Attacks are becoming more sophisticated and pervasive, preying on the weakness of companies that don’t secure the 'Everywhere Enterprise.’
Mobile workforce security dangers
The mobile ecosystem is very different than the ecosystem of PCs and this is especially true for security. In the workplace, PCs and laptops tend to be company owned/controlled. It’s therefore quite reasonable for the devices to be locked down and pre-loaded with security software that tracks all access and data.
This is not the case with Bring Your Own Device (BYOD) policies. End users are not willing to accept a paradigm whereby they personally cover the cost of a device, but provide the corporation with control over how it can be used. While BYOD may allow enterprises to lessen the cost of devices and service plans, it comes at the cost of losing control over the device.
It’s not surprising then that one of today’s big security challenges involves mobile users moving outside of the traditional security perimeter of organisations. By accessing the Internet with unsecured mobile devices, there is a danger that the device will be infected and import malware back into the corporate network. Or that the employee will fall victim to social engineering attacks when not protected by traditional enterprise security controls.
Outside of the office, security drops dramatically as the employee is no longer behind the network appliances delivering security, and on a smart device, they also likely have no traditional host-based security. In 2014 a staggering 68 per cent of UK businesses suffered a security breach from work mobile phones due to not implementing the right security solutions.
IT struggles to keep up with monitoring such a diverse range of network access points. It is inevitably losing control with the employee now pulling the strings. The worst thing is that attackers are fully aware of this imbalance and are exploiting it. This is why attackers have largely shifted their efforts to targeting end users and are often specifically targeting those that work remotely.
As we’ve seen with recent headlines, mobility has made it even easier to breach corporate security measures. Looking at securing users beyond the company walls means moving away from the traditional focus on perimeter defence.
15 per cent of large organisations had a security or data breach in the last year involving smartphones and tablets in 2014, up seven per cent from last year, whilst seven per cent experienced this relating to one of their cloud computing services as the use of cloud continues to rise. This is according to findings from the 2015 Information Security Breaches Survey conducted by PWC.
In this new age of progressive IT, with cyber security threats coming in from all directions, CISOs require a new approach to security; one that provides consistent policy, protection and visibility to all user and devices irrespective of location.
To make the 'Everywhere Enterprise’ a reality, employees have access to more appliances, cloud services and mobile apps these days than ever before.
Businesses need to see through the misconception that the danger of cyber attack is only from external hackers. More often than not with the 'Everywhere Enterprise,’ it’s caused – often innocently – by insider threats. Many employees may not even be aware that they have left the gate wide open for criminals to enter freely.
Cloud services and mobile apps have become so readily available that many of the applications used by employees are no longer securely managed inside the IT 'fortress’ of a business. Cyber criminals are fully aware of the open gateway and the opportunity to exploit users. When users download apps or files from an apparently trusted site, malware is seeded inside the corporate network undetected. Once the initial infection is planted, it can easily spread to all corners of the organisation network.
In fact, most of the major enterprise hacks are conducted through internal breaches. Plus, according to figures from the 2015 State of the Endpoint by Ponemon Institute, 78 per cent of IT professionals consider negligent or careless employees who do not follow security policies to be the biggest threat to overall security.
On one hand as cloud applications become mainstream, traditional methods of protection are no longer sufficient to combat web-based crimes.
But as businesses transition to the cloud, there is also an education process that must take place. Employees need to be aware of the hidden risks when sharing and syncing files from multiple devices and accidental data disclosure.
Challenging traditional security
The 1990’s idea of using security appliances installed in a data centre to protect employees who are on their laptops sitting in cafés and working via the cloud, no longer makes sense.
Not only are security appliances tied to legacy location concepts, dictating limitations to the business rather than enabling it, they tend to be built for one security function only. This creates an explosion of new appliances in the data centre to keep up with each new threat, all of which must be individually purchased, installed, maintained and updated.
Appliances also lack the pace to counter evolving threats and fail to meet the architectural flexibility to accommodate new enterprise technology. As a result businesses are operating on outdated security models that don’t provide enough visibility to enable security executives to maintain control.
As such, the traditional 'block vs. allow’ strategy is no longer fit for purpose in today’s 'Everywhere Enterprise’. As the working environment evolves, organisations require a shift to a 'manage and monitor’ approach. After all, prohibiting access to Internet resources will only encourage users to bypass security controls.
Bridging the cloud gap
Looking at new strategies to tackle the threats of the digital age means searching beyond the tools traditionally deployed in the enterprise, towards the benefits of cloud delivered security.
However, while the return on investment of cloud solutions has been well documented, the trend towards using them for security purposes has been treated with trepidation. That’s due to the perceived risks that have been driven by ill-equipped security appliances featuring in the majority of workplace architectures today.
Pointing to this, a Eurostat study showed only 19 per cent of European businesses used cloud computing services last year. The main factor limiting the use of cloud computing is security, found Eurostat, but yet the business benefits of cloud are undeniable – so it is on the rise.
To remain competitive, European businesses must work through security challenges. After all, as cloud applications become more widely accepted and deployed, CISOs are starting to see the competitive advantages of cloud computing in terms of flexibility, agility and competitive advantage. Why pay for capital investments and the resources to manage them when you could redeploy the money for strategic projects?
New technologies and processes can deliver enormous gains in productivity and efficiency to drive business metrics like revenue generation and customer satisfaction. And that’s not the only critical advantage. Cloud solutions are integral to helping businesses realise advanced security capabilities – most importantly, better visibility.
In today’s complex IT environments, the ability to see how every user, device and application is accessing the corporate network is no longer a 'nice to have’, it’s a business imperative. The next generation of enterprise security is about the Direct-to-Cloud Network approach. This is much more than blocking threats. It will support critical security protection by enabling IT to take back control.
Shifting power to the CISO
The proliferation of mobile and cloud technologies has shifted the centre of gravity toward the user.
Moving security to the cloud shifts the balance of power back in favour of the CISO. A cloud security model acts like a check post between the user and the Internet and all Internet bound traffic goes through it, enabling businesses to embrace mobility and cloud while enforcing security policies that follow the user.
It allows companies to embrace innovation securely, while providing the visibility and controls needed to ensure compliance with corporate policies. It also helps executives to regain control of the enterprise’s digital assets and user activity, whether located internally or externally on the Internet, so they can spot potential threats before they escalate.
The challenge for today’s CISOs is shifting focus from basic infrastructure projects to more strategic initiatives. Moving security to the cloud is an example of this type of transformational process. It provides business agility, reduced costs and more importantly, it enables CISOs to use security capabilities as a business enabler.
Many CISOs are beginning to act on the priniciple that protection is no longer enough, prevention is now key. Forward thinking European executives will be investing in cloud-based security to facilitate initiatives in light of this new reality.