This paper discusses how information security function in enterprises must engage with business users and stakeholders to ensure innovation and adoption of digital transformation.
The promises of the digital new world is inextricably locked with cloud computing technologies.
Cloud computing technology is central to the converging interconnecting forces of collaboration, mobility, BYOD, IoT and social enterprise.
The information/data security and entitlements of users of these services and apps is bound to their identities and the contexts within which they may partake in this ecosystem.
Traditional security models, information governance, identity management and role based access control don’t quite cut the mustard.
However, new technologies are yet to be tested both commercially and functionally.
The potential benefits to the enterprise such as seamless collaboration, agility and efficiency are too rewarding to ignore. The security industry must help organisations balance the risks and rewards.
1. Security - A Digital Transformation
Enabler
Alex Akinjayeju
Head of Information & Cyber Security Operations
June 2015
2. APPLICATION
CATALOG
IT SUPPLY
CHAIN
DATA CENTRE
FOOTPRINT
ENTERPRISE
IT
DESKTOP SERVICES
OS & VIRTUALISATION
INFRASTRUCTURE
PRIVATE & HYBRID CLOUD
IT SERVICE MANAGEMENT
DATA MANAGEMENT
APPLICATIONS
INFORMATION SECURITY
BYOD
DATA CENTRE
FACILITIES &
OPERATIONS
ON-PREMISE OFF-PREMISE
Digital Infrastructure for the Digital Enterprise
DATA CENTRE
FACILITIES &
OPERATIONS
Transition/Transformation
CLOUD
SERVICES
SaaS
PaaS
IaaS
HYBRID CLOUD
COLOCATION
SERVICE PROVIDER
MULTI-TENANT DATA
CENTRE
MOBILITY
COLABORATION
The promises of the digital new world is
inextricably locked with cloud computing
technologies.
Cloud computing technology is central to the
converging interconnecting forces of
collaboration, mobility, BYOD, IoT and social
enterprise.
The information/data security and entitlements
of users of these services and apps is bound to
their identities and the contexts within which
they may partake in this ecosystem.
Traditional security models, information
governance, identity management and role
based access control don’t quite cut the
mustard.
However, new technologies are yet to be tested
both commercially and functionally.
The potential benefits to the enterprise such as
seamless collaboration, agility and efficiency
are too rewarding to ignore. The security
industry must help organisations balance the
risks and rewards.
3. Agenda
• Why is Security Constraining adoption
• Cloud computing usage
• Focus on SaaS – Drivers
• Focus on SaaS Risks – and the rest!!
• Why IDM is Central
• The Azure Identity solution for 365 – An Example
• Key take Away - Get Your MOJO Back !!!
3
4. Why is Security a Constraints?
• Absence of corporate information governance framework
• Lack of engagement with business
• Security function is technology focused as opposed to data
• Data security risk is the biggest concern in the cloud
• Business needs agility not constraints
• Identity federation, SSO, Access control
• The context of the cloud is still unclear/immature to security.
7. Focus on SaaS – Drivers
• Power shift from IT to users
• Collaboration
• Mobility – data anywhere, everywhere
• Urgency/Immediacy of need
• IT’s time to fulfil requests
• Change in working culture
• Procurement processes are clunky
• Can’t sanction employees for doing their work efficiently and
quickly
7
8. Focus on SaaS Risks – and the rest!!
• Typically procured by shadow IT – No security
diligence
• Some service provider own data uploaded to
their service
• Security has no visibility of data in the cloud
or who has access to them
• Data is extensively shared with 3rd parties
with no visibility of their JML process
• Internal IDM not integrated with SaaS
• Data security attributes, classification,
encryption and control is lost
• Enforcement of corporate security policy is
not consistent across multiple SaaS apps
• Issues include; Data loss is an issue, Malware;
Copyright; decommissioning, monitoring etc
Source: Ricoh.com
9. More on SaaS Risks – and the rest!!
• Enterprise & Cloud security issues = SAME
but different contexts.
• Leavers still have access to data
• Compliance standards PCI DSS, HIPPA, SOX,
DPA, ISO 2700x, ISMS
• Enterprise data ownership is not clear
• Use of PaaS and IaaS are increasing and
threatening established order
• Vendor lockin
• Physical location of data & data centres – talk
about American Patriot Act & Snowden’s
effect
if ESn = CSn what is n?
10. Why IDM is Central
• IDM is central to users digital entitlements and access
• Articulate your IDM goals/strategy, if AD is integral sort it out first!
• Authentication and access must be consumable in the cloud
• Federation deployments have struggled under enterprise IDM
solutions. Expensive, complicated, long winded with minimal
outcomes
• Consider identity in the cloud
• Re-assess SSO strategy, exempt highly sensitive system/application and
data from SSO
11. The Azure Identity Solution for 365 – An Example
Active Directory
SSO to 2200+
SaaS apps
Identity
12. Key take Away - Get Your MOJO Back !!!
• Security Practitioners
– Guard your credibility, do not spread FUD
– Engage your users & stakeholders
– Understand your organisation’s business drivers and
objectives
– Be prepared to respond to the SO WHAT?
• Embrace/Engage shadow IT
• Take control
– Discover and risk assess SaaS apps already in use;
– Recommend appropriate & proportionate controls;
– Discover data in the cloud and who has access to
them;
– What are the security attributes of these data?;
– Keep it KISS
• Develop relevant digital security policies
13. Key take Away - Get Your MOJO Back !!!
• Lead the information governance debate; not all about data
classification
• Future proof identity management;
• Consider context based access control – RBAC does work outside the
enterprise!;
• Simplify complexity; consider access security brokerage;
• Use publicly available frameworks to assess service providers
• Sort out identity management perhaps deploy a temporary tactical
solution.
• Consider context based access control – RBAC does work outside the
enterprise!
• We can no longer dictate what “End User” devices our people have, or
how they connect!
• Don’t forget Availability, Performance, Change Management, incident
Management, Clarity of external connectivity, accountabilities,
Location of data
Assess
Control
Review
Identify