The hot topic this week in London at IP EXPO Europe 2014 will not be Big Data. Twelve months seems a short time, but a lot has happened since IP EXPO 2013.
As we mentioned on this blog last month, the landscape has shifted fundamentally. Real jobs, real responsibility and scrutinized budgets are now associated with data, and the business intelligence organizations require from it.
The excitement of the last few years has been replaced with a pragmatic planning phase which includes less magical but more useful areas such as: organizational structure, training and infrastructure architecture. It’s a natural evolution for any burgeoning technology and, like other cloud vendors, we’re looking forward to the next few years where businesses invest more heavily in archiving, categorizing and exploiting their data.
But aside from a new era of pragmatism, what do we predict will be a reoccurring conversation at this year’s IP EXPO? Actually, we believe the strong trend this year will be one that has been around for a while – ‘Cloud Migration’.
There are still a huge number of organizations that are about to or are in the middle of moving their data to the cloud with all the opportunities and challenges that brings. This is why I’ll be presenting ‘The future of Enterprise Information Archiving’ on Wednesday the 8th and Thursday the 9th of October at 2:20 – 2:50pm in the Backup & Recovery Theatre – I’ll hopefully see you there.
We’ve also produced some short video trailers of the presentation – the first one is embedded below this post and titled ‘The Real Cost of Staying On-premises’ which looks at the economic impact of keeping your email archive on-premises.
If you’d like to find out more, do drop in to see us (Stand H10) and we’d be glad to talk about how we can help you plan the migration of your information archive to the cloud.
We’ve come a long way on the timeline of enterprise information security. About ten years ago we’d finally become used to the idea of a second firewall upgrade and were thinking about dedicated security teams and policies that had a reach much farther than just the IT team.
Today, and into the next twelve months, the list of priorities for CIOs and CISOs is far more complex and only bears a passing resemblance to the past.
The future looks far more advanced, from a security perspective, which by right is an accurate reflection of the nature of the threats that we now face. Traditional security technologies are struggling to keep up, and in many ways have seen their day. Today’s shopping list of security tools would include Mobile Device Management (MDM) services, next generation firewalls and threat detection tools as well as new more active types of host anti-virus; altogether more complex and advanced than the types of tools we were buying just a few years ago.
Also on the agenda are the softer, more human components of information security. Compliance tools and processes have never been more important, neither, and perhaps surprisingly for some, are formal enterprise privacy agreements for users. The latter in response to growing privacy concerns driven by major data leakage and snooping scandals, and the former—your staff—being a new frontier for soft security technologies and training, that seek to secure one of the weakest lines of defense in enterprise.
So all things considered, here are my predictions for the types of projects you’ll be seeing this year:
- Cloud identity and authorization: With the rise of cloud based services in the enterprise, IT teams will need to ensure access control requirements are met across all services. Using third party identity and authorization services that integrate with the cloud and on-premise directory services will be essential to enable the use of cloud services that can match your enterprise authentication policies.
- Cloud encryption: If not provided by a cloud security vendor already, more CIOs will demand their data be encrypted in the cloud with a separate cloud encryption tool. Public cloud services will be affected most to guarantee the confidentiality of data for the enterprise as CIOs seek to find ways to protect their information regardless of its storage location.
- Formal privacy programs: Privacy is critical to both customer and end user trust in your organization, with the added benefit of helping you comply with local laws and customs. CIOs will be creating privacy protection controls for their sensitive customer data and personal information that balance business enablement with business protection. This is a new concept for many, but as the line between enterprise and personal computing is increasingly unclear, CIOs will need to establish clear boundaries for data access, storage and monitoring.
- Next generation tech: The ‘next generation’ is never well defined, but we know the current generation of technologies is fast being outmoded. Security technology in particular has become easy for attackers to circumvent, so vendors are responding with next generation, more advanced, security solutions. Spear-phishing is a great example – all the most recent high profile attacks have bypassed traditional email security technologies, by the use of very well crafted malicious emails.
- Threat detection and response: Similarly, as threats change and become more stealth we need to address how we detect and respond to them, given the possibility we may not be able to prevent them all. End point and host detection will play a large role in these new projects as businesses look for ways to quickly detect the outbreak of a problem on an end point and seek to lock it down or remote wipe it as quickly as possible.
- Security governance: This has always been a growing part of a CIO’s responsibilities, and we’ll see IT GRC management and ITSM increase as rigor is brought to bear on the IT department, and the buy-in of IT initiatives by the rest of the organization becomes more normal.
- Mobile device management: BYOD has come and gone, or at least embedded itself in our everyday IT policy. Users, not satisfied with your policies being enforced on their personal devices, appear to be much happier with the containerized or compartmentalized use of business data and apps on those devices. Simply letting users bring their devices into your network is no longer acceptable as it once was, controlling the use or your data on their devices is now essential.
- Testing and training: Security training has always been part of our routine for users. Most new users are given a ‘sheep dip’ when they join, and a rare few given ongoing training thereafter. But, as the value of training is diminished by more successful attacks in the face of well trained staff, real-time testing becomes a more viable solution. There are numerous open source tools available to help you socially engineer your staff; we should expect to see these sort of activities being offered as services in the near future, and should take advantage of them – even if you’ve shied away from classic “pen-testing” in the past.
As the torrent of malicious content and spam moved away from our enterprise inboxes to more consumer and social platforms, we were perhaps lulled into a false sense that we’d finally beaten the spam problem.
But this simply isn’t the case. The risks to our enterprise inboxes and data have morphed into more harmful and effective security threats.
Forrester and Mimecast Webinar ‘Protecting Against Targeted Attacks’ – join us next Tuesday, September 30th, at 10am Eastern (1500 UK, 1600 RSA). Register free here: http://mim.ec/Zdm7qY
Spear-phishing, or targeted attacks by email, is the next generation of threat our IT teams are scrambling to deal with. Plus, as more high profile security breaches hit the headlines, where spear-phishing is often the initial point of entry, it’s a threat that has got the attention of the C-suite.
So Mimecast is hosting another webinar in our series of ‘Expert Webinars’ to share essential advice on how to protect your business against spear-phishing and targeted attacks - the webinar is next Tuesday, September 30th, at 1000 Eastern (1500 UK, 1600 RSA) and you can register for free here.
I’ll be joined by two industry experts; Rick Holland, the well-known Forrester Research analysts and IT security commentator, as well as Steven Malone, Mimecast’s own Security Product Manager.
Spear-phishers are specifically targeting you and your business in an effort to steal your intellectual property, customer lists, credit card databases and corporate secrets.
Whereas old style phishing was a scatter gun attack, spear-phishing is specifically targeted at a handful of individuals within a business. The attackers research their targets over many months, often using social media platforms to gain useful information about you. Like phishing, email is the main attack vector for spear-phishing, with well-crafted social engineered emails being the tool of choice.
During the webinar we’ll be discussing: the biggest threats and most dangerous attack tactics. Recent high profile case studies. The real life cost of attacks and the practical steps you can take to protect and educate your users.
Do leave a comment under this post or @reply me at @orlando_sc if you’ve any particular areas you want us to cover next week.
Earlier this month, as you’ve no doubt heard, a batch of private pictures of celebrities were circulated widely on the Internet, having been either leaked or stolen from a storage medium the celebrities considered private and trustworthy.
One security breach doesn’t prove that the cloud is unsafe. It’s still safer than the alternatives.
On the theory that one person’s misfortune is another’s teachable moment, the Internet has been flooded, not by the pictures, but by well-meaning explanations of how users can protect themselves from such privacy violations. Most of them give advice that is mostly good; it’s certainly true that most people take far too few precautions with their most sensitive information. But some of it’s misleading, perhaps even betraying an ulterior motive and a hidden agenda.
While experts can agree on the vast majority of things you should do to be safe — which I won’t reiterate here — sometimes their advice reflects unspoken assumptions or agendas. While there’s a great deal of consensus about how to protect data stored in a given manner, there’s much more debate about whether one type of storage is fundamentally more secure than another.
Consider the lowly flash drive. Some would tell you that the safest place to put your data is on such a drive. It’s true that the lack of networking on a storage card makes it immune to network-based attacks, but instead it’s vulnerable to physical ones — those tiny drives are easy to steal, or to lose. Is your security better overall with the flash drive? It’s not easy to say.
Similarly, in the recent disclosure of scandalous pictures, some have rushed to say that this shows the insecurity of the cloud. Leaving apart the fact that Apple ultimately concluded that the pictures were not stolen from their cloud service, there’s a legitimate (albeit misplaced) question here: Is cloud storage less secure than other forms of large-scale storage?
Obviously it depends on what you look at. As I’ve said, USB vs cloud strikes me as too close to call on the personal side. But for business users, the right comparison is to on-premises systems. Many executives feel safer knowing that the data doesn’t leave their site, where they believe they have complete control. However, while that control might be complete for a small number of businesses, the typical business is far from expert in matters of security, whereas for cloud providers it’s a live-or-die issue. With very few exceptions, I think business data is more secure with a good cloud provider than with on overextended, undertrained IT team on premises.
So, does that mean the cloud is more secure than on-premise storage? Again, the answer isn’t black and white. How do you know how good your cloud provider is? Do you trade off professional security in the cloud with perceived security in your organization? There’s room for disagreement and nuance, for sure.
However, we should all beware of self-interested pundits who draw overly broad conclusions. Not only was the recent leak not a cloud leak after all, but even if it had been, we can’t read too much into an isolated event, remembering that nothing is perfect. One security breach doesn’t prove that the cloud is unsafe, any more than one accident with a change machine proves that change machines are a menace.
Life is dangerous. The only way to know how much a particular thing endangers us is to look at some longer-term statistics. An isolated event means nothing, but when someone uses such an event to broadly generalize, it can tell you a good deal about their own agenda.