Why security has yet to move from beyond the ‘castle walls’ – and how to do it

Why security has yet to move from beyond the ‘castle walls’ – and how to do it

Craig Talbot, VP EMIEA, iboss, on why security has yet to move from beyond the ‘castle walls’ – and how to do it

Craig Talbot, VP EMIEA, iboss, looks at what is needed to properly move security to the cloud so that firms can fully gain the benefits of it, with employees protected wherever they may be and whatever service they are using .

Most organisations have either shifted core elements of their IT or will do so in the near future. It means that typically most of their data is living in multiple different clouds, versus residing on premise as it has been in the past.

Because this data is effectively beyond the ‘castle walls’ of their network perimeter, organisations are in something of a state of transition when it comes to the cloud and their approach to security.  

And since users are no longer restrained to the four walls of the organisation and can access the cloud from anywhere it means that in many cases employees are being held back from being able to use the cloud securely and effectively.

Most firms do not use the cloud to control their security

A stark illustration of how firms have moved to the cloud, but their security hasn’t, is illustrated by the Gartner statistic that 71% of organisations are still using on premises appliances. This is the essential part of the network that staff must go through in order to access any connected service. It is effectively ‘the first line of defence’ governing how employees access the Internet and protects users and the companies they work for by filtering out unwanted malware from Internet traffic and enforcing corporate and regulatory policy compliance.

With an appliance ‘stuck’ in a data centre it effectively negates many of the benefits of the cloud. Appliances can only secure users while they work within the organisation. So, users that work outside it must send all their traffic back to the appliances for security and are effectively routed wherever that may be in the corporate network and then out again.

This introduces latency, with potential virtual journeys (over expensive bandwidth) of thousands of miles for each server request. And as the amount of company data increases it requires continuous upgrades to the hardware just to keep up. It has effectively become a bottleneck to the cloud.

Security should follow the user

Instead, security should shift to focus on the user and securing access to data as it resides across multiple third-party clouds. Moving security to the cloud allows security to follow the users wherever they go. This means compliance, malware defence and data loss prevention are always applied as users connect to security in the cloud at all times. In addition, since security lives in the cloud, it can scale elastically to provide the capacity needed to process an ever-increasing amount of bandwidth and connectivity.

Many firms ‘get’ this and have tried it already – only to be left disappointed. A particular ‘gripe’ has been that the switch from appliances to cloud security typically requires making sacrifices to their security and operational practices and having to forfeit their IP address identity when they moved to a cloud solution.

Furthermore, firms have found they had to lose the non-shared proxy service that are native to appliances and moved to proxy services that are shared across multiple customers in the cloud. This has resulted in uneasy implementations and firms have found they are locked in to one provider.

Avoiding uneasy implementations

As frustrating as some of these experiences have been, they can be mitigated entirely. All firms should ask the following of any provider of an Internet security gateway:

  1. Does my organisation get to retain its IP address when migrating to the cloud (versus shared IP across multiple customers)? If so, this can give much greater control by helping to identify and prevent certain (potentially infected) devices from accessing data in the cloud when off network.
  2. Is my organisation’s data held separately from other customers? Many cloud-based providers put customers on the same data plane, meaning that it is effectively ‘mixed’ with that of other customers. Many companies would feel uncomfortable with that situation from a security perspective. It also lessens the ability of customers to control where their data resides in the cloud on a granular level.
  3. Does it have a global cloud footprint? The closer the gateway is to the user, the lower the latency and the better the experience.
  4. Can my firm geo isolate where our employee’s data resides in the cloud? This is an important feature of GDPR and ensures that firms can meet their data privacy responsibilities to their employees more easily.

The answer to all four of the above should be a ‘yes’. It would then mean that organisations can implement their cloud security move in a staged and controlled manner and mean they could move to the cloud without sacrificing the benefits derived when deploying on premise.

Just as importantly it would bring security to wherever their users are. Being geographically closer means faster connections and eliminates latency issues.

It has the effect of making employees appreciate the experience their corporate IT gives them rather than resenting it. Security effectively becomes an enabler to their work, not a barrier.

Browse our latest issue

Intelligent CISO

View Magazine Archive