Traditional security models becoming exhausted
The Nexus of Forces is transforming the approach towards information security as new requirements are brought about by social, mobile, cloud and information. Gartner predicts that traditional security models will be strained to the point that, by 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10 percent in 2013.
An increasingly mobile workforce is demanding access to systems and information at anytime from anywhere. In this interconnected and virtualized world, security policies tied to physical attributes and devices are becoming redundant and businesses must learn to accommodate new demands being made on IT while also maintaining more traditional security controls.
“We are faced with a “perfect storm’ – the convergence of socialization, consumerization, virtualization and cloudification that will force radical changes in information security infrastructure over the next decade,” said Tom Scholtz, vice president and Gartner fellow. “Organizations are changing radically – tearing down and redefining traditional boundaries via collaboration, outsourcing and the adoption of cloud-based services – and information security must change with them.”
Mr. Scholtz said that rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and there are already signs of this transformation. Application, identity and content awareness are all part of the same underlying shift to incorporate more context to enable faster and more-accurate assessments of whether a given action should be allowed or denied.
BYOD is one of the most significant IT transformations happening today. It is driven by an intense desire among employees to use personally-owned devices. IT organizations have realized that they can potentially benefit from the model as well. The transition to enable BYOD takes an organization through four phases.
The first phase includes IT’s rejection of personally-owned devices. This becomes an untenable solution, leading the organization to move to the second BYOD phase, accommodation. At this second stage, organizations recognize that end users want to use personally-owned devices, and IT must accommodate that demand by implementing compensating controls. Data protection is the organization’s primary concern.
The third phase is ‘adopt’. In many organizations, mobility represents an opportunity to improve externally-facing customer services, internal business processes, productivity, and employee satisfaction. This means that IT organizations must focus on issues beyond security in support of personally-owned devices. In this phase, the enterprise focus shifts to productivity and employee satisfaction and from a reactive to a proactive approach. The fourth phase is assimilate, which represents the realization of the personal cloud. Integrating the user experience (application and data accessibility) is a key focus at this phase. Here, BYOD is fully adopted, and the focus of the enterprise is to optimize, operate, and evolve the strategy.
Different types of organizations are likely to take advantage of different forms of externally provisioned cloud services. Highly sophisticated organizations, with large amounts of data that would be of interest to either competitors or regulators, are naturally hesitant to hand over control of their data’s destiny to external parties. Smaller and less sophisticated organizations not only have fewer concerns about being able to demonstrate their data protection, but they also have less ability to build and maintain their own IT infrastructure.
In practice, SMBs are more likely to entrust large amounts of the organization’s own data, and processing, to cloud-based services. Other than storage (and PC backup is an especially appealing form of service), these types of customers have relatively little ability to create their own applications, or even manage their own servers, so they are most likely to take advantage of software as a service (SaaS) applications.
In contrast, large and sophisticated organizations are looking for inexpensive and convenient environments in which to deploy virtual machines. Having greater needs for data governance and a relatively greater ability to take advantage of it, enterprise customers are most likely to gravitate toward infrastructure as a sevice (IaaS) first. However, the business units within an enterprise may well have the characteristics of SMBs, so most enterprise class organizations do have many pockets of SaaS use.
“The megatrends of consumerization, mobility, social, and cloud computing are radically transforming the relationship between IT, the business, and individual users. Organizations are recognizing and responding to the need to move from control-centric security to people-centric security,” said Mr. Scholtz. “People-centric security focuses primarily on the behavior of internal staff – it does not imply that traditional “keep the bad guys out’ controls have become redundant. Indeed, many of these will be essential for the foreseeable future. However, people-centric security does prescribe a major change of emphasis in the design and implementation of controls – always trying to minimize preventative controls in favor of a more human-centric balance of policies, controls, rights and responsibilities. It tries to maximize human potential by increasing trust and independent decision making.”