The security transformation is a term used to describe a profound shift in the IT industry. It would be easy enough to say that IT security has become more important, or that there are more security considerations, but the security transformation is more about a qualitative shift: a different way of thinking about IT security. And it has come about primarily (though not entirely) as a result of cloud ubiquity.
Wave goodbye to the perimeter
Organizations move to the cloud because of the advantages in mobility, cost, flexibility, scalability and so on – but it has profound security implications. Traditional security is based on an inside and an outside, and that you can safeguard the inside with a secure perimeter – characterized by the firewall. The cloud does not have an inside and an outside, and so ‘perimeter-thinking’ is not appropriate.
Awareness of the limitations of the perimeter has grown slowly, but the development of cloud services – and the uptake of those services, often outside corporate control (“Shadow IT”) – is happening at terrific speed. Microsoft (like other vendors) has released a range security technologies and capabilities recently, and continues to do so – baking these features into their products (“the biggest security company you have never heard of”).
The Cloud Challenge
There is usually a need for some on-premises remediation, but the biggest change is all about cloud. A reliable underlying identity management infrastructure is more important than ever, and solid governance processes must also be in place to assess risk and compliance. However, corporate data in the cloud or cloud-hybrid world can only be protected by the intelligent application of several complementary capabilities, including the above, but also such features as:
- Identity protection (e.g. assessing risky users and logons, and remediating by forcing further authentication, password reset, or blocking entirely)
- Conditional access (e.g. step-up authentication for sensitive apps)
- Cloud application security (who is using what, and what to do about it)
- Information protection (or data loss prevention – encrypting documents to protect them in motion as well as at rest)
- And so much more…
First published April 2017