We have entered the age of pervasive connectivity. Regardless of whether we are at home, in the office, or on the road, most of us are almost always connected. This trend is blurring the lines between work time and leisure time, with the same devices used for both contexts interchangeably. To support this new connected world, organizations are turning to the cloud – where technology services are consumed as needed, and the associated data can be stored anywhere – or they face being left behind by customers and competitors.
While this “always on” connected world utilizing cloud services brings tremendous opportunities, including tighter collaboration, increased business innovation and accelerated productivity, it also brings significant change from the constraints of client/server and first generation Web applications. It requires organizations to re-evaluate their IT and IT security policies, procedures and processes. The increasing complexity of IT infrastructures and the massive adoption of cloud-based IT services demand a new approach to IT security and compliance that ensures the security of traditional enterprise-based IT solutions along with newer cloud based IT services.
Along with these technology changes, organizations also face a dynamic threat landscape. Cyber attacks are targeting new layers of the IT infrastructure. In addition to well-known (but too often ignored) vulnerabilities and methods of attack, the proliferation of networked devices, endpoints and web applications provides attackers with an expanded target area of vulnerabilities to exploit across diverse IT infrastructures. For example, according to an ENISA 2012 survey, a top threat is malicious HTML code injection into websites that exploits vulnerabilities in user web browsers (also known as drive-by download attacks), and trends indicate that this is an area of increasing risk.
In response to these challenges and to reduce the IT infrastructure on premise, many organizations are turning to cloud-based security solutions. Cloud-based security services are having a significant impact on the existing information security market, influencing the way security controls are deployed and consumed, and driving changes in the market landscape, particularly around a number of key security technology areas including secure email gateways, secure web gateways, vulnerability management, log/event management, web application firewalls, and identity and access management.
Traditional IT security and compliance approaches often struggle to effectively secure evolving IT environments. As IT infrastructures evolve to a mixture of on-premise, cloud and hybrid environments consisting of multiple networks and increasing numbers of devices, traditional on-premise enterprise software products may limit the ability of organizations to effectively protect their infrastructures from security threats and ensure compliance with internal policies and external regulations. Cloud based security services are designed to secure all types of IT environments, including a mixture of enterprise, on premises IT with cloud based IT.
But just as with other cloud based services, organizations considering the use of cloud based security services must ensure they can evaluate the service providers and understand the risks of using a third party service provider. Organizations continue to grow and mature their vendor/third party risk management programs, and they are improving their abilities to assess, understand and manage the risk of engaging third party service providers, including cloud based security solutions. These programs enable organizations to make informed, risk based decisions about adopting cloud services which will likely lead to even greater adoption rates of all types of cloud services, including cloud security services. Of all the cloud service providers, the cloud based security service providers often understand organizational needs and requirements for third party risk management as well, if not better than other providers.
In tandem with the maturation of third party risk management programs, the standards and best practices for secure cloud services are beginning to coalesce. Organizations such as the Cloud Security Alliance are fostering collaboration between the providers and consumers of cloud services, working together to define best practices and guidance for the secure architecture, operation, and use of cloud services. This knowledge sharing is raising the level of awareness among both providers and consumers, leading to more secure cloud service offerings and better educated consumers of cloud services.
In summary, the future for cloud based security services is bright. As organizations adopt more cloud based IT services, cloud based security services will certainly be part of this movement, bringing innovation, flexibility, cost efficiencies and security.
Andrew Wild is the Chief Security Officer for Qualys (https://www.qualys.com). He has more than 20 years of experience leading teams to design, implement and operate secure networks and computer systems. As Qualys’ Chief Security Officer, Andrew oversees the security, risk management and compliance of its enterprise and SaaS environments. Prior to joining Qualys, he managed a team of information security engineers responsible for the design, implementation and operation of security solutions for EMC’s SaaS offerings, with heavy emphasis on cloud and virtualization technologies. Prior to EMC, he was the Chief Security Officer at Transaction Network Services. He has also held a variety of network engineering leadership roles with large network service providers including BT and Sprint. Andrew has a master’s degree in electrical engineering from George Washington University and a bachelor’s degree in electrical engineering from the United States Military Academy. He is a veteran of the United States Army.
Share this content on your favorite Social Network.