The Nexus of Forces is transforming the approach towards information security as new requirements are brought about by social, mobile, cloud and information, according to Gartner.
Gartner predicts that traditional security models will be strained to the point that, by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2013.
An increasingly mobile workforce is demanding access to systems and information at anytime from anywhere. In this interconnected and virtualised world, security policies tied to physical attributes and devices are becoming redundant and businesses must learn to accommodate new demands being made on IT while also maintaining more traditional security controls.
“We are faced with a ‘perfect storm’ – the convergence of socialisation, consumerisation, virtualisation and cloudification that will force radical changes in information security infrastructure over the next decade,” says Tom Scholtz, vice-president and Gartner fellow.
“Organisations are changing radically – tearing down and redefining traditional boundaries via collaboration, outsourcing and the adoption of cloud-based services – and information security must change with them.”
Scholtz says that rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models.
Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and there are already signs of this transformation. Application, identity and content awareness are all part of the same underlying shift to incorporate more context to enable faster and more-accurate assessments of whether a given action should be allowed or denied.
Bring your own device (BYOD) is one of the most significant IT transformations happening today. It is driven by an intense desire among employees to use personally-owned devices. IT organisations have realised that they can potentially benefit from the model as well. The transition to enable BYOD takes an organisation through four phases.
The first phase includes IT’s rejection of personally-owned devices. This becomes an untenable solution, leading the organisation to move to the second BYOD phase, accommodation. At this second stage, organisations recognise that end users want to use personally-owned devices, and IT must accommodate that demand by implementing compensating controls. Data protection is the organisation’s primary concern.
The third phase is “adopt”. In many organisations, mobility represents an opportunity to improve externally-facing customer services, internal business processes, productivity, and employee satisfaction.
This means that IT organisations must focus on issues beyond security in support of personally-owned devices. In this phase, the enterprise focus shifts to productivity and employee satisfaction and from a reactive to a proactive approach.
The fourth phase is assimilate, which represents the realisation of the personal cloud. Integrating the user experience (application and data accessibility) is a key focus at this phase. Here, BYOD is fully adopted, and the focus of the enterprise is to optimise, operate, and evolve the strategy.
Different types of organisations are likely to take advantage of different forms of externally provisioned cloud services. Highly sophisticated organisations, with large amounts of data that would be of interest to either competitors or regulators, are naturally hesitant to hand over control of their data’s destiny to external parties.
Smaller and less sophisticated organisations not only have fewer concerns about being able to demonstrate their data protection, but they also have less ability to build and maintain their own IT infrastructure.
In practice, small to medium sized business (SMBs) are more likely to entrust large amounts of the organisation’s own data, and processing, to cloud-based services.
Other than storage (and PC backup is an especially appealing form of service), these types of customers have relatively little ability to create their own applications, or even manage their own servers, so they are most likely to take advantage of software as a service (SaaS) applications.
In contrast, large and sophisticated organisations are looking for inexpensive and convenient environments in which to deploy virtual machines. Having greater needs for data governance and a relatively greater ability to take advantage of it, enterprise customers are most likely to gravitate toward infrastructure as a service (IaaS) first. However, the business units within an enterprise may well have the characteristics of SMBs, so most enterprise class organisations do have many pockets of SaaS use.
“The megatrends of consumerisation, mobility, social, and cloud computing are radically transforming the relationship between IT, the business, and individual users. Organisations are recognising and responding to the need to move from control-centric security to people-centric security,” says Scholtz.
“People-centric security focuses primarily on the behaviour of internal staff – it does not imply that traditional ‘keep the bad guys out’ controls have become redundant.
“Indeed, many of these will be essential for the foreseeable future. However, people-centric security does prescribe a major change of emphasis in the design and implementation of controls – always trying to minimise preventative controls in favour of a more human-centric balance of policies, controls, rights and responsibilities. It tries to maximise human potential by increasing trust and independent decision making.”