The Chief Information Security Officer, CISO, cannot say “no” to every initiative. Before a request is declined, it is helpful for all concerned to understand the reasons an IT initiative might be declined. From a cStor webinar presentation delivered by Andras Cser of Forrester Research, here is a look at the data center demands a CISO must conquer.
First, the CISO needs to stay on top of what is happening in the data center: security threats, how internal IT operations and security can work with cloud providers and Line of Business folks. Then that needs to be communicated to all departments, setting boundaries and managing expectations. Here are key concerns helpful for all users to know.
The Data Center is Loosely Coupled
Many workloads are in the cloud. The process of connecting them with on-premises environments, workloads and data structures is intricate and can limit capability. Requests for IT support must include clear objectives so that systems can be set up to meet needs. And, adequate resources must be available to set up the structure, securely. Many times, line-of-business users procure cloud services that may expose the on-premises data center, so communication with IT is crucial for all such transactions. Working together, LOB users can get the access they need while IT can maintain a secure and stable data center that is ready to scale.
Struggle to Reduce Cloud Security Risks
The CISO must answer to auditors. Many organizations realize that using a secure cloud is beneficial for efficiency while security with on-premise workloads is more vulnerable than the cloud. Still, it is important that LOB users know that many security constraints are not via CISO, but by a cloud provider. Here is a look at the measures encountered with securing the cloud-connected data center:
- Security TO the Cloud: includes required interfaces within the on-premise data center to facilitate working with the Cloud Provider.
- Security IN The Cloud: the Cloud Provider ensures protecting workloads in the cloud.
- Security FROM the Cloud: making the internal infrastructure more secure, and the cloud-based infrastructure more secure, including services that make the structure more secure.
Cloud security is like a two-component glue—it’s a unique blend.
Cloud is not just a delivery or storage platform, and cloud security is beyond just continuing and extending security to the cloud. Some of the challenges with cloud security include:
- Lack of Control. Cloud security provides ease of use for end-users. It does not—and should not—require users to change behaviors or tools.
- Inconsistent Control. When using the cloud, you do not own everything. And, you cannot change the behavior of users. So the only thing the CISO can manage is the workstation.
- Elasticity. With the cloud, the CISO cannot ensure steady-state for varying workloads. When demand bursts or new loads come up, security configurations need to be employed.
- Scalability. Security needs to be ready to meet growing needs, especially when variable server counts are needed to meet business goals.
- Portability. The same controls need to work everywhere. Sometimes this isn’t readily set up or requires separate consideration. Security measures for remote workstations need to protect them just as on-premises workstations are guarded.
Data Protection for on-premises and cloud has multiple layers, much like layers of an onion skin. Each needs to be implemented to provide an appropriate level of protection at various levels of the database accessibility. From users and passwords to encryption—on-premise and in transit—it is important to guard sensitive information and manage access to it. Detection and prevention work at the firewall level. Beyond that, behavior profiling helps to flag abnormal activity.
According to Cser, to protect the “mother ship” from the torpedo of attack, you need to direct attention at threats as with a searchlight. Scanning the environment and monitoring it with rules of behavior analysis will flag activity that is irregular, perhaps predictive of a threat. Ultimately, the CISO seeks to meet business needs, while reducing the cost of rule management and improving the accuracy of threat detection.
With the right understanding of business goals and data center sensitivities, LOB requests can be met, securely, in a mutually agreeable time and manner. Avoid the “no” by keeping in the “know” and sharing an understanding across business disciplines.