Cloud Security: From Hacking the Mainframe to Protecting Identity

By Andi Mann, Vice President, Strategic Solutions at CA

Cloud computing, mobility, and the Internet of Things are leading us towards a more technology-driven world. In my last blog, I wrote about how the Internet of Things will change our everyday lives, but with these new technologies comes new risks to the organization.

To understand how recent trends are shifting security, let’s revisit the golden age of hacking movies from the ‘80s and ‘90s. A recent post by Alexis Madrigal of The Atlantic sums up this era of Hollywood hackers by saying that “the mainframe was unhackable unless [the hackers] were in the room, in which case, it was simple.” That’s not far off from how IT security was structured in those years. Enterprises secured data by keeping everything inside a corporate firewall and only granting accessed to employees within the perimeter. Typically, the perimeter extended as far as the walls of the building.

When the cloud emerged on the scene, every IT professional said that it was too risky and introduced too many points of vulnerability. They weren’t wrong, but the advantages of the cloud, such as increased productivity, collaboration, and innovation, weren’t about to be ignored by the business. If the IT department just said no to cloud, the business could go elsewhere for their IT services – after all, the cloud doesn’t care who signs the checks. In fact, a recent survey revealed that in 60% of organizations, the business occasionally “circumvents IT and purchases technology on their own to support a project,” a practice commonly referred to as rogue IT, and another recent study found a direct correlation between rogue IT and data loss. This is obviously something that the IT department can’t ignore.

Identity is the New Perimeter

The proliferation of cloud connected devices and users accessing data from outside the firewall demands a shift in the way we secure data. Security is no longer about locking down the perimeter – it’s about understanding who is accessing the information and the data they’re allowed to access. IT needs to implement an identity-centric approach to secure data, but according to a recent Ponemon study, only 29% of organizations are confident that they can authenticate users in the cloud. At first glance, that appears to be a shockingly low number, but if you think about it, how do you verify identity? Usernames and passwords, while still the norm, are not sufficient to prove identity and sure, you can identify a device connected to the network, but can you verify the identity of the person using the device?

In a recent @CloudCommons tweetchat on cloud security, the issue of proving the identity of cloud users kept cropping up:

 Andi Mann

Today’s hackers don’t need to break into your data center to steal your data. They just need an access point and your username and password. That’s why identity and access management is such a critical component of IT security. New technologies are emerging to meet the security challenge, such as strong authentication software that analyzes risk and looks for irregularities when a user tries to access data. If a user tries to access data from a new device, the strong authentication software will recognize that it’s a new device and extra authentication flows kick in that require the user to further verify their identity.

What IT should be doing now to secure identity

To take advantage of cloud computing, mobility, and the Internet of Things in a secure way, the IT department needs to implement these types of new and innovative technologies that focus on verifying identity. In addition to implementing new technologies, the IT department needs to enact a broader cloud and mobile device strategy that puts the right policies and procedures in place and focuses on educating employees to minimize risk. Those in charge of IT security must also establish a trust framework that enforces how you identify, secure and authenticate new employees and devices.

Cloud computing, mobile devices, and the Internet of Things can’t be ignored by IT and the sooner a trust framework and a cloud security strategy is established, the sooner your organization can take advantage of new and innovative technologies, allowing the business to reap the benefits of cloud, mobile, and the Internet of Things, while keeping the data safe and sound. And to me, that sounds like a blockbuster for IT.

 

Andi Mann is vice president of Strategic Solutions at CA Technologies. With over 25 years’ experience across four continents, Andi has deep expertise of enterprise software on cloud, mainframe, midrange, server and desktop systems. Andi has worked within IT for global corporations, with software vendors, and as a leading industry analyst. He has been published in the New York Times, USA Today, Forbes, CIO, Wall Street Journal, and more, and has presented worldwide on virtualization, cloud, automation, and IT management. Andi is a co-author of the popular handbook, ‘Visible Ops – Private Cloud’, and the IT leader’s guide to business innovation, ‘The Innovative CIO’. He blogs at https://pleasediscuss.com/andimann and tweets as @AndiMann.