So here we are, in 2016. Thinking back to my experience as a regular system administrator, then an operations officer, consultant and now – a CTO and architect for Predica customers – I can tell you: the security of IT has massively changed.
Brilliant! Oblivion! Woo hoo – now the truth has been revealed! What is this guy talking about? Where is my Gartner-like-statement rescue boat?
These might be your reactions to that statement. And believe me. I would react the same way.
I currently work with organizations of various sizes on a daily basis. Small, medium, enterprise customers with thousands of employees, hundreds of legacy apps and dependencies between them. All of them have something in common – they are trying or they are already using some kind of SaaS application.
Is it happening in your organization? No? Because you prevent it?
Let me share a story with you. I have worked with a customer in Northern Europe whose outsourced IT department was harsh regarding networking policies (in particular with the remote vendors). The access to remote sharing tools like Team Viewer, Skype or S4B – blocked. All of their communication software – on-premise and locked down. For IT security reasons!
When I arrived at their site and saw a team collaborating over Slack, and I asked them “Wow! Have you adopted Slack in the organization?”, they answered: “No, we have just found it is working in our network and with external users so we have started using it.”
Fast forward a year from this conversation… They are adopting Office 365 and moving all their collaboration to the cloud technology. Why is this example relevant to you? Because it is showing two important trends which will happen in your organization as well.
Move towards SaaS applications and services
SaaS software market is growing. According to Trends in Cloud IT monthly pool from Better Cloud, by 2020 more than 60% of SMB and more than 30% of mid-market companies will be run entirely in the cloud.
If your business wants to adopt a new CRM system, it will. Most likely it will be a cloud-based CRM. And you will be a part of that process with providing access and protecting it.
The Rise of Shadow IT
Let’s face reality. There is one thing which stands between your users and SaaS. It is a credit card. This piece of plastic enables every user to be their own CIO.
A study by Frost & Sullivan and Intel Security shows that 80% of survey respondents admit to using non-approved SaaS applications in their jobs. And 23% of respondents in 2016 Intel Security survey said that they run their security department without IT’s help.
This is our new reality. With this also comes the change to what is a new “secure” way of doing things.
IT security has changed. Threats have changed. The rise of Advanced Persistent Threats (APT) and motivation of bad guys (according to Verizon Data Breach Report, 89% of data breaches in 2015 had a financial or espionage motive) requires you to rethink your approach towards data protection used in the past. You can’t simply cut all of it anymore.
What to do, then? If you can’t stop the change – embrace it! This can be fun and also boost your career along the way.
Here are five pivotal steps we made at Predica – and we wholeheartedly recommend to our clients.
Commit to change to IT security
Sounds like another buzzword, huh? But that’s real. You have to commit to change to lead others.
Let me share our story here with you. Predica is a small company – we have 50+ employees and double that number with external contractors working with us permanently or on a contract basis.
How have we committed to this change? Two years ago we made the decision to become a cloud-first company.
Since then we have removed all of our on-premises infrastructure, and moved to SaaS software (first Google Apps, then Office 365), private cloud (mostly development and test labs running on rented machines) and public cloud (applications running on Azure PaaS, our dev\lab moving to the Azure IaaS).
Have we done it “just because”? Or because we’ve drunk cloud Kool-Aid? Believe me or not. We have made an informed decision based on data and related to our goals.
Am I saying you should drop everything and migrate to the cloud? By all means, no!
I’m saying that you have to get prepared and work on your approach. You can start with (based on our customer experience):
- Reviewing your policies and procedures – are they easy to understand and apply by users? Do they need to be updated for deploying SaaS?
- Getting to know what are the regulatory requirements for remote access, information protection, data leakage prevention and moving data to cloud services.
- Rethinking your access management strategy – how to manage access to SaaS software? Is it focused around on-premises services only?
These are not all but some of the areas you may start to work on.
Leverage data analytics
Don’t make your decisions on a hunch or a gut feeling. There is plenty of data around you to back up your decisions. Become a data freak.
Our example – we were able to decide about moving our dev\test to Azure IaaS based on the answer to the question: What is the cost of running these services?
Then we have measured the cost of running the same configurations on Azure IaaS. We had to tweak machines and operations to make it feasible.
We measure lots of data. And it helps us to make informed decisions if needed.
There is plenty of data around you in systems and applications. Start to gather it. Analyze it. Start small – select your first KPIs and track it with the relevant data!
Control is key!
Your users are probably ahead of you in this game. They do use some SaaS applications and services at work. You can’t block them… but you can start to control them and then decide on the approach.
We have deployed the Cloud App Discovery service to gather information on SaaS software. We just want to know what is being used in it. What can we do with this knowledge? Provide better user experience, like single sign-on based on our identity service.
It is not about blocking from the start but getting the knowledge about it. Pick your solution. Start to gather usage data. You will be able to provide a better experience and assess risk.
Remember: control is not equal to blocking! At least not always.
Develop your team
It doesn’t mean to send them all for a round of vendor training. This isn’t development. It is just budget burning.
Instead – map the skills you need and what is missing. Do it bottom-up with your team!
We have done this with the application called Grandler. It enables our team to provide feedback on their skills within a skills matrix among each other. Using this feedback we can plan training.
Empower your employees! Give them control of their development. We allow our employees to plan the use of their educational budget on their own. Build their career plans and define clear objectives to achieve. Make sure you reward achieving those – even with beer and burgers. People love to be rewarded! You’ll see the difference soon.
In the end, a bit of my technical advice. This is your new policy paradigm – expect a breach may happen. You need to minimize its risk and assess the damage. Identify the critical assets for your IT security, potential targets, and deploy a plan to protect them.
To minimize the risk of unauthorized access at Predica, we have taken some steps:
- We’ve deployed multi-factor authentication for all our users. This is a separate lesson to share on its own. It means putting up the first level of protection for our users.
- We have deployed Privilege Identity Management to protect our administrative users. Now access granted for an administrative user will not go unnoticed, and we have a full log of these activities
- We are using Identity Protection to mitigate risks for our users and take actions on them. Our consultants do travel a lot. And we need to stay informed to protect them.
Giving these ideas a shot may not stop the bad guys from trying to enter your network – it will not instantly improve your IT security metrics. But it will let you adapt and be a part of change – in the long run, making life for the bad guys a bit harder.
If you have any questions, reflections or want to share a similar case study – the comment space below is aaaaall yours. (I’m telling you… you don’t even suspect how many people you’ll end up helping by simply typing!)