Getting comfortable with cloud-based security: Whom to trust to do what
You don’t always have to do everything yourself. Really
There are some bits of computing that you just don’t want to trust other people with. They’re just too sensitive. But at the same time, there are some things that people can do as well or better than you, for a lower cost.
Finding a balance between the two can be tricky, but useful. Take cybersecurity as an example.
It’s devilishly difficult to do the whole thing properly, because there are too many moving parts. Some of these moving parts are easily identifiable and clearly defined.
Others extend far beyond off-the-shelf products, reaching into your organization in unpredictable and nuanced ways. Outsourcing some of the clearly defined tasks can free you up to concentrate on the stickier bits of cybersecurity that are subtler and more specific to your company.
Everyday security tasks
The everyday tasks are the things that you should be running on every packet in your network, such as filtering emails, checking attachments for malware, and watching where your employees surf online to stop their browsers getting nobbled. These things have been done in-house for years in a couple of ways, but each has its disadvantages.
Firstly, you can buy a variety of best-of-breed tools to handle these various tasks independently, and then spend all your time configuring and maintaining them, and trying to get a single view of what they’re all doing. That takes expertise which many firms – especially SMBs – don’t have.
Secondly, you can buy a single product, like a unified threat management appliance, that claims to do most of the heavy lifting for you. These devices are often configured once and then maintained by the vendor, in what amounts to a managed CPE deal. That can work well, but unless you have some kind of financing deal you might find yourself investing a decent amount of capital in the thing, and will then have to upgrade it occasionally. It also means that you’re locked in with a single vendor.
Moving these everyday security tasks to the cloud is becoming an increasingly viable alternative. Cloud-based security service providers have been gradually nibbling away at cyber security services, processing on your network packets before they reach your premises.
Analysts think that this market is set for growth. IDC reckoned at the end of 2014 that a third of all security will be delivered online by 2018. Should you move these cyber security measures to the cloud? Here are a few things to think about.
The savings when switching from capex to opex can often be irresistible, but will your cloud security provider save you money in the long run? If you’re paying by the seat, as most users of basic cloud security services do, think about your expansion plans and crunch the numbers to find out when the service becomes more expensive than the other two options. Don’t end up suffering from ‘cloud shock’ by underestimating the cost for the entire user base – now, or in the future.
One of the key benefits of cloud-based security services is complexity reduction, so check to see which services are covered. You may have to cherry pick a couple of cloud cyber security vendors to get the full feature set that you want. That has ramifications for…
The quality of reporting should feature heavily in your cloud cyber security strategy. Visibility is a function of coverage here. The cloud can be a "fire and forget"option, but ideally you’ll want to get an understanding of what’s happening to your network traffic, along with some threat intelligence data. Some visibility into the cloud provider’s own operation wouldn’t go amiss either – are there any planned or unplanned outages? Can you check the billing cycle and easily file support tickets?
Depending on your risk tolerance, you can move more advanced cyber security functions into the cloud, such as identity management. Endpoint security and server-based intrusion prevention are also on the radar, although these can entail the use of on-premise software agents.
If you’re taking cloud cyber security beyond the basics to this level, then start to ask how it might integrate with any existing cyber security resources that you have left in-house, such as your security information and event management system, or any inline hardware-based IPS monitoring internal network traffic that you don’t yet want to give up.
If cloud is the way you go, it will free you up to think more strategically about your cyber security stance. Tools alone don’t make an organisation safe. The real challenge lies in a few other critical areas. These stickier cyber security tasks include user awareness, which is a deep challenge that >goes way beyond a couple of finger-wagging education sessions.
Process refinement is another. Formalised patch testing and management is one of a set of strategies that can help to eliminate 85 per cent of intrusions, according to the Australian Signals Directorate – although this is now available as a managed service, too.
Putting cybersecurity in the cloud can make sense, but the journey involves an understanding of the economics involved, the capabilities that you want to outsource – and how you’re going to bolster your security still further with the spare cash and human resources left behind. ®