So here we are, in 2016. Thinking back of my experience as a regular system administrator, then an operations officer, consultant and now – a CTO and architect for Predica customers, I can tell you: IT security has massively changed.
Brilliant! Oblivion! Woo hoo – now the truth has been revealed! What this guy is talking about? Where is my Gartner-like-statement rescue boat?
These might be your reactions to that statement. And believe me. I would react the same.
I currently work with organizations of various sizes on a daily basis. Small, medium, enterprise customers with thousands of employees, hundreds of legacy apps and dependencies between each other. All of them have something in common – they are trying or they have been already using some of SaaS application.
Is it happening in your organization? No? Because you prevent it?
Let me share a story with you. I have worked with a customer in Northern Europe whose outsourced IT department was harsh regarding networking policies (in particular with the remote vendors). The access to remote sharing tools like Team Viewer, Skype or S4B – blocked. All their communication software – on-premise and locked down. For IT security reasons!
When I arrived at their site and saw team collaborating over Slack, I asked them “Wow! Have you adopted Slack in the organization?” They answered: “No, we have just found it is working in our network and with external users so we have started to use it.”
Fast forward a year from this conversation… They are adopting Office 365 and moving all their collaboration to the cloud technology. Why is this example relevant to you? Because it is showing two important trends which will happen in your organization as well.
Move towards SaaS applications and services
SaaS software market is growing. According to Trends in Cloud IT monthly pool from Better Cloud, by 2020 more than 60% of SMB and more than 30% of mid-market companies will be run entirely in the cloud.
By 2020 more than 60% of SMB and more than 30% of mid-market companies will be run entirely in the cloud.
If your business wants to adopt new CRM system, it will. Most likely it will be a cloud-based CRM. And you will be part of that with providing access and protect it.
An enormous jump in per cent of companies switching to cloud is ahead of us. More than 60% of SMB and more than 30% of mid-market companies by 2020. Source: Trends in Cloud IT, BetterCloud
Rise of Shadow IT
Let’s face reality. There is one thing which stands between your users and SaaS. It is a credit card. This piece of plastic enables every user to be their own CIO.
A study by Frost & Sullivan and Intel Security shows that 80% STL of survey respondents admit to using non-approved SaaS applications in their jobs. And 23% of respondents in 2016 Intel Security survey said that they run their security department without IT’s help.
This is our new reality. With this also comes the change to what is a new “secure” way of doing things.
IT security has changed. Threats have changed. The rise of Advanced Persistent Threats (APT) and motivation of bad guys (according to Verizon Data Breach Report, 89% of data breaches in 2015 had a financial or espionage motive) requires you to rethink your approach towards data protection used in the past. You can’t simply cut all of it anymore.
What to do then? If you can’t stop the change — embrace it! This can be fun and also boost your career on the way.
Here are five pivotal steps we made at Predica — and we wholeheartedly recommend to our clients.
Commit to the change for the IT security
Sounds like another buzz word. Huh? But that’s real. You have to commit to change to lead others.
Let me share our story here with you. Your Predica is a small company – we are 50+ employee and double that number of external contractors working with us permanently or on a contract basis.
How we have committed to this change? Two years ago we made the decision to become cloud first company.
Since then we have removed all of our on-premises infrastructure moving to SaaS software (first Google Apps, then Office 365), private cloud (mostly development and test labs running on rented machines) and public cloud (applications running on Azure PaaS, our dev\lab moving to the Azure IaaS).
Have we done it “just because”? Or because we’ve drunk cloud cool-aide? Believe me or not. We have made an informed decision based on the data and related to our goals.
Am I saying you should drop everything and migrate to the cloud? By all means no!
I’m saying that you have to get prepared and work on your approach. You can start with (based on our customer experience):
- Reviewing your policies and procedures – are they easy to understand and apply for users? Do they need to be updated for deploying SaaS?
- Getting to know what are regulatory requirements for remote access, information protection, data leakage prevention and moving data to through cloud services.
- Rethinking your access management strategy – how to manage access to SaaS software? Is it focused around on-premises services only?
These are not all but some of the areas you may start to work on.
Leverage the data analytics
Don’t make your decisions on a hunch or gut feeling. There is plenty of data around you to back up your decisions. Become the data freak.
Our example – we were able to decide about moving our dev\test to Azure IaaS based on the answer to the question: What is the cost of running these services?
Then we have measured the cost of running same configurations on Azure IaaS. Had to tweak machines and operations to make it feasible.
We measure lots of data. And it helps us to make informed decisions if needed.
Such data analytics tool may stand for your base to make reasonable decisions on your security measures. Source: blogs.technet.microsoft.com
There is plenty of data around you in systems and applications. Start to gather it. Analyze it. Start small – select your first KPIs and track it with the relevant data!
Control is a key!
Your users are probably ahead of you in this game. They do use some SaaS applications and services at work. You can’t block it… but you can start to control it and then decide how to approach it.
We have deployed the Cloud App Discovery service to gather information on SaaS software. We just want to know what is being used in it. What can we do with this knowledge? Provide better user experience, like single sign-on based on our identity service.
It is not about blocking from the start but getting the knowledge about it. Pick your solution. Start to gather usage data. You will be able to provide a better experience and assess risk.
Remember. Control is not equal to blocking! At least not always.
Develop your team
Don’t mean to send them all for a round of vendor training. This isn’t development. It is just budget burning.
Instead – map skills you need and what is missing. Do it bottom up with your team!
We have done this with the application called Grandler. It enables our team to provide feedback on their skills within skills matrix among each other. Using this feedback we can plan training.
Grandler app provides Predica’s employees with an essential map of competences to rely on when building teams for new projects.
Empower your employees! Give them control of their development. We allow our employees to plan the use of their educational budget on their own. Build their career plans and define clear objectives to achieve. Make sure you reward achieving those – even with beer and burgers. People love to be rewarded! You’ll see the difference shortly.
In the end, a bit of my technical advice. This is your new policy paradigm – expect a breach may happen. You need to minimize its risk and assess the damage. Identify critical assets for your IT security, potential targets, and deploy the plan to protect it.
MFA set up in Predica allows to put a second layer of security measures on each user’s account.
To minimize risk of unauthorized access in Predica we have taken some steps:
- We’ve deployed multi-factor authentication for all our users. This is a separate lesson to share on its own. It means putting the first level of protection for our users.
- We have deployed Privilege Identity Management to protect our administrative users. Now access granted for administrative user will not get unnoticed, and we have full logging of these activities
- We are using Identity Protection to mitigate risks for our users and take actions on it. Our consultants do travel a lot. And we need it to get informed to protect them.
Giving these ideas a shot may not stop bad guys from trying to enter your network – it will not instantly improve your IT security metrics. But it will let you adapt and be a part of change -in the long run making live for bad guys a bit harder.
If you have any questions, reflections or want to share a similar case study — the comment space below is aaaaall yours. (I’m telling you… you don’t even suspect how many people you’ll end up helping by simply typing your keys.)
And if you’re currently facing a similar challenge in your organisation, check out our Security & Identity Management section, where you can request a free consulting session with me 🙂