Richard Blanford, CEO Fordway
As we emerge from the period of Covid-lockdowns and restrictions, two factors have changed the way many of us work for good. Digital transformation was already well underway for many organisations, but the pandemic accelerated the move, with many going from no cloud or an in-progress, hybrid system, to full public cloud in a matter of months.
Meanwhile s some organisations have found that working from home suits them and their people very well, and many are keen to accommodate a hybrid approach to work. As an IT as a Service provider we see these two factors having their effect across organisations regardless of their size and market.
Where some see challenge, others see opportunity
While the pandemic created challenges for organisations, it also created opportunities for bad actors. The IBM 2021 data breach report found the highest average cost of breaches in its 17-year history at £4.24 million per incident on average.
One particular type of breach has had a field day – ransomware. The State of Ransomware 2020 report from Sophos documents the growth of Ransomware as a Service during the pandemic. Effectively this separates technical expertise in development of ransomware from its deployment allowing bad actors without technical knowledge to mount attacks. It doesn’t take a huge leap of imagination to conclude that more organisations are vulnerable to attack attempts than ever before.
A job for the specialists
All organisations need to be aware of the dangers and take steps to protect themselves. When an organisation manages its own networks and data security, the task is complex and never ending. Use software to check network entry points for probes and breaches. Constantly update and patch everything. Where a network endpoint is a user’s laptop on which data resides, work out how to remotely scan, provision, and patch, while maintaining secure wireless connectivity wherever that user happens to want to work. And that’s just the start. Technical teams can run themselves ragged just keeping one step ahead of potential incursions.
The way to mitigate this level of risk is to minimise the attack surface – reduce the possible entry points for a bad actor to the smallest number possible. This is best achieved by levering the power of IT as a Service delivered in the public cloud. It is no coincidence that the likes of Azure, AWS and Google Cloud, plus major SaaS vendors, have seen exponential growth over the last year. Their offers are now mature and well understood. They provide capability to enforce strong data security, and with SaaS (Software as a Service), customers receive ongoing patches and software upgrades as a matter of course.
This is very different to Infrastructure as a Service (IaaS), and Platform as a Service (PaaS), users of which have to take on themselves the burden of patching, upgrading and working on data security.
When we say ‘public cloud’ we’re actually referring to a complex array of services available from each provider rather than a simple, ‘one size fits all’ offer. A great plus is that these services can be configured precisely as an organisation requires. You don’t license applications and services you don’t need. You only license the number of seats required at any one time, and can flex requirements as your organisation evolves. But within that lies great complexity with a wide array of options and configurations on offer. Organisations can find it difficult to navigate and find the optimum setup.
This is especially the case for those going through digital transformation for the first time, and perhaps changing both the software they use and the way data is collected, structured and interrogated. This is where IT as a Service comes into its own. ITaaS takes the most appropriate standard cloud offerings, and devises a bespoke implementation for an organisation, including operational and service support, service management, and security management.
Everything is delivered within a wrapper of contractually guaranteed Service Level Agreements. An ITaaS provider will work hard to understand a customer organisation’s needs and help them with cloud setup and service selection, guiding them through options and choices to find the best fit, so that they avoid blind alleys, and only purchase what’s needed.
The selection of technical providers is one side of the risk equation in our new reality. The other is putting both data and those who use it at the heart of an organisation’s security. Understanding the flow of data into and around the organisation is vital, as is knowing where data is stored, the number of copies held, and the business value of that data. Only when this is known can you ensure you have implemented the required protection and policy enforcement to meet organisational security policy and ensure legislative compliance. This is about understanding and if necessary revising network architecture.
In traditional environments, perimeter security has been about protecting traffic originating from data centres and coming to users inside a corporate firewall with occasional remote access needed. This is known as the ‘walled garden’ approach. But that’s not really appropriate in a world where the workforce is distributed. Instead, security has to be built into endpoints, infrastructure, business applications and solutions in their entirety. It can’t be bolted on as an afterthought. It has to be embedded.
This requires a zero trust approach. No point in the business at which data enters, exists, or travels around can be considered ‘safe by default’. In fact, the opposite approach is required, and the most granular security boundaries need to exist. Organisations need complete transparency on when data is accessed, where it travels to and from, and why it is accessed. This means data security at the level of the individual, including access logging and using techniques like AI to identify anomalous behaviours.
The mix of first class public cloud managed through an IT as a Service organisation and a business network architecture which has granular, zero trust security measures in place will take an organisation a long way in its management of data misuse risk. It will also, by its very nature, free up internal IT professionals to take on other, more interesting tasks such as helping the organisation harness the data it holds in new and exciting ways.