Hybrid IT – security, governance, risk, and compliance
Sheer complexity. That’s what I’d say is the main challenge of cybersecurity in relation to hybrid IT.
Don’t get me wrong. It is perfectly possible to secure hybrid IT. But it’s complex, and quite different in many ways from traditional IT security.
That complexity shouldn’t deter you from using hybrid IT, and getting the operational and commercial benefits you want out of it. But there are a few things you need to bear in mind.
55% of enterprises interviewed in our new research into hybrid IT said that a concern around security and compliance was the biggest factor inhibiting adoption.
First get visibility
The most common issue I hear from clients is, ‘I just don’t know what’s going on’. You can’t secure what you can’t see. You need to know what SaaS services other lines of business are buying, what VLANs and servers DevOps are spinning up, even when a new device is connected to the network.
So getting detailed visibility of your entire infrastructure is step one, and to do that you will need an automated discovery capability. Once you know what’s going on, then you can apply appropriate security controls at every level, from the macro domain level right down to individual service containers.
Then get in control
The next most common issue I hear is, ‘I can’t control where my data is in the cloud’. That’s true – up to a point. In a standard public cloud your data could be anywhere. And as long as the cloud has basic security, and your data isn’t subject to any particular compliance requirements, why should it matter where it’s located?
But in sectors like financial services or government, it’s essential to be able to control where the data resides. So, does that mean you shouldn’t use the cloud? No, you can…
With some cloud providers, you can specify the physical geography where your data resides. For example, with Microsoft Azure, or Dimension Data’s own Managed Cloud Platform, you can specify that your data should remain in, say Eastern Australia, but not which city. And that may be enough, even in financial services.
First Choice Global got the economic and operational benefits of cloud, with control over where data resided, so that they could run their money transfer service in Africa, while remaining compliant with their US partner’s regulatory requirements. Watch their story.
Keep up with new products
I have the privilege to talk to one new start up every two days – and that’s following two prior stages in the screening process. Not only do I get to understand their product, but I have the privilege of seeing how they can change the industry.
Our legal department tells me that Dimension Data’s security practice has twice as many vendors as any other practice. And that’s because there are so many point products we need to use to properly secure our clients.
I’ve realised that the more virtualised an infrastructure becomes, the harder it gets to secure. For example, there is a whole mini-sector of cloud access security brokers (CASB) that can help secure SaaS services.
CASB can identify specific corporate users that are using personal SaaS (e.g. Dropbox). CASB can identify how many files, of what size they’re uploading, and how often. These tools can even prevent users from doing so – but allow access to a corporate approved alternative like Microsoft OneDrive instead. With the rise of shadow IT, it’s becoming very important to keep up with developments in CASB.
Integrate and automate
Hybrid IT moves faster than traditional IT, and sometimes security can struggle to keep up. You have to be able to roll out security as quickly as you can spin up servers and micro-services. How do you do that? The answer is through automation.
There are tools that can secure every server and micro-service. But these tools need to be integrated into your operations, and automated to secure them as fast as they are spun up.
80% of enterprises interviewed in our new research use a managed service to do the automation of hybrid IT security.
Evolve your skills
There is a recognised global shortage of cybersecurity skills, and the more your company tries to embrace hybrid IT, the more you’re going to run into it.
One approach, which follows the trend in IT operations generally, is to outsource your security operations, so you can concentrate more on planning and innovation.
I’ve seen my own job evolve a lot over in just the last six months. It used to be about tactical management and planning of our managed security services. Now it’s more about research and strategic innovation.
Take one step at a time
Another sensible strategy when faced with the scale, complexity, and urgency of hybrid IT security, is to prioritise.
Get IT, security, and all the different business functions (HR, Sales, Marketing) who want to use hybrid IT, in a room together and workshop through what really needs to be tackled immediately, and what you can live with or work around. Then you agree to a roadmap, and tackle it one step at a time.
The commercial and operational advantages of hybrid IT are too good to let security get in the way. It may be complex, but securing hybrid IT is definitely possible.