The Necessity Of Cloud- Delivered Integrated Security Platforms

Transcription

1 A Forrester Consulting Thought Leadership Paper Commissioned By Zscaler October 2015 The Necessity Of Cloud- Delivered Integrated Security Platforms

2 Table Of Contents Executive Summary... 1 Information Security Is Now A Top Business Priority... 2 Today s Security Postures Fall Short... 4 Integrated Security Platforms Are The Way Forward... 5 Integrated Security Platforms Offering Cloud Deployment Maximize Value... 8 Key Recommendations Appendix A: Methodology Appendix B: Endnotes ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to [1-SE9SZS]

3 1 Executive Summary Every organization depends on the trust built with its customers. If an organization breaches customer trust, the customers will flee to competitors. The rapid and accelerating adoption of cloud computing, mobility, and the Internet of Things (IoT) coupled with increasingly more sophisticated cyberthreats has reduced the effectiveness of traditional appliance- and software-based security architectures. The resultant climate of major public breaches has contributed to security becoming an item on the boardroom agenda. As a result, the role of the CISO has expanded to include consumer advocacy, brand protection, and promotion of new and better ways to secure the organization. As organizations focus on required processes and technologies to secure confidential information, they often express dismay with the multitude of point s and the number of appliances in their security portfolio. Alerts go off by the thousands with no analysis or response, and we collect increasing volumes of security from multiple vendors technologies, leading to needless costs and challenges. Organizations are adopting cloud computing, mobility, and IoT to save money and improve employee productivity, but traditional security appliances are ill-suited to secure this new world. The resulting needs of security professionals are loud and clear: simple and powerful ways to protect data and employees everywhere, without the proliferation of point appliances. These are the catalysts for adopting an integrated, cloud-based approach to security. Security professionals are fed up with having multiple vendor point s and appliances. The call is for integrated, cloud-based security. In January 2015, Zscaler commissioned Forrester Consulting to evaluate how the security market views both integrated security s as well as cloud computing/software-as-a-service (SaaS)-based delivery models. To further explore this trend, Forrester developed a hypothesis that tested the assertion that a significant portion of the security market will move down the path of integrated cloud-delivered security s and that this evolution will provide better functionality, better security, and superior economics than what can be achieved with on-premises point software or appliances. In conducting an in-depth survey of 130 US IT security or strategy decision-makers at firms with at least $250 million in annual revenue, Forrester found that these companies consider security particularly data security to be a critical component of their organizations competitiveness within their markets and industries. These companies seek advanced security capabilities that they want to deploy within the next year. Furthermore, these companies clearly indicated that they believe that adopting integrated cloudbased security s will both improve their security postures and reduce costs. KEY FINDINGS Forrester s study yielded three key findings: Ninety-eight percent of decision-makers recognize that integrated s can deliver better security functionality than point s. CISOs need to look at their security tools in a new light, focusing on integrating these tools or replacing them with an integrated security delivered from a flexible cloud infrastructure. Complexity and cost reduction plus improved security rank as the primary benefits of cloud-based security-as-a-service. Cloud delivery of an integrated security provides big opportunities for CISOs to reduce complexity and costs, while at the same time improving their security posture. Eighty-two percent of decision-makers require advanced security functionality now. CISOs face the threats that require functionality such as automated machine learning, crowd-shared threat intelligence, integration between security products, and strong encryption technologies sooner rather than later.

4 2 Information Security Is Now A Top Business Priority FIGURE 1 Information Security Provides Competitive Advantage As consumers become more aware of cybersecurity attacks, they increasingly scrutinize organizations on their ability to secure information. This elevates CISOs to the position of protecting their company s brand in addition to its data. 1 As a result, the most successful organization will recognize information security specifically data security as a top overall business priority. Data security is particularly challenging, as the complexity of managing a multitude of point security appliances inherently increases the overall likelihood of an organization developing security gaps. In our study, IT strategy and security decision-makers showed they embrace security as a top business priority by stating that: Information security is core to competitiveness. Eighty-four percent of respondents to our survey completely agreed that information security is core to their offerings and essential to ensure the confidentiality, availability, and integrity of such information in accordance with privacy and compliance rules. An equal portion of respondents stated that information security is highly critical for their firms ability to compete in their industries (see Figure 1). Please evaluate the statements about the importance of information security to your organization. Please rate on a scale of 1 to 5, where 1 is completely disagree and 5 is completely agree. (Showing those selecting completely agree ) Information security is highly critical to our ability to compete in our market or industry 84% 84% Information security is core to our offerings;we need to ensure information is kept confidential, available, and with integrity, meeting all necessary privacy and compliance rules Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

5 3 Data security is particularly salient. Respondents consider data security as the most important feature that would drive the purchase of an integrated security, more than any other of the 13 security features we asked about. More than half (5) included data security in their top three security purchase incentives, and 24% ranked it as No. 1 more than double any other element (see Figure 2). FIGURE 2 Data Security Ranks Top Of Mind Among All Other Technical Features In An Integrated Security Platform What are the most important features an integrated security must have working together to incentivize your purchasing decision? (Ranked first, second, or third) Data security 5 Data center security Malware detection or prevention Threat intelligence Intrusion detection Endpoint security Protect all ports and all protocols Intrusion prevention Subsume multiple point s (firewalls, A/V, web filters, etc.) Phishing protection filtering or scanning Denial of service protection Remote access (e.g., VPN) 35% 31% 26% 24% 2 21% 2 19% 16% 13% 11% 9% Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

6 4 Today s Security Postures Fall Short Despite stating the importance of information security, security professionals fall behind their partners in IT who have accelerated their virtualization, consolidation, and consumption of cloud infrastructure,, and software services over the past three to five years. While automation and integration are well on their way to becoming the de facto processes and architectural models across IT, they have yet to become the norm in security. Security professionals want similar advances in their security technologies now. They desire integration of data security and encryption with cloud-based security and policy-driven data protection across all connectivity channels. They also desire advanced functionality cloudscale visibility, machine learning, advanced correlation, and crowd-shared threat intelligence that requires a and/or cloud-based approach to security that leverages big data. Moreover, they ask for it now. Professionals in this study stated that: most critical, with 8 of firms requiring this either now or within a year, and nearly half (48%) requiring this immediately. Twenty-six percent or more reported an immediate need across seven advanced security functionalities, and 34% or more require these functionalities within one year (see Figure 3). Using disparate security technologies is counterproductive. Lack of staff, inadequate training, or poor processes all contribute to internal friction and open the door to attacks. Heterogeneous security technology portfolios amplify these shortcomings by limiting orchestration and reducing a firm s ability to respond to attacks. 2 Disparate security technologies make it much more difficult to leverage advanced analytics, because by definition data is fragmented in multiple silos. Organizations imminently need security stance improvement. Functionality that provides strong integration with data security or encryption technology is FIGURE 3 Most Decision-Makers Require Advanced Security Functionality Now Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

7 5 Integrated Security Platforms Are The Way Forward This study clearly indicates that security professionals recognize that the era of point security s is over. The way forward is clear: Organizations must demand integrated security s that combine multiple security functions into a single framework. Unified administration, policy management, reporting, analytics, and threat detection and mitigation are key capabilities to look for. APIs and integration across multiple security technologies from multiple vendors are also critically important. It is important to note that the way most security vendors deliver technology is at odds with security professionals overwhelming desire for integrated security s the bulk of today s security market consists of point s. As a result, developing a -based security strategy begins by looking to the new generation of security vendors, secure vendors with robust APIs, and managed security service providers. Forrester regularly speaks with organizations that successfully integrate their endpoint and network security; overall, they report fewer false positives and more actionable intelligence compared with those implementing point products operating in isolation. 3 Nevertheless, 65% of technology decision-makers heavily rely on comparing a preferred against a comparable one from two or more vendors to assist in their final purchase decision. 4 Survey results in this study show why decision-makers need to abandon the point approach and move toward an integrated one, with respondents stating that: FIGURE 4 Decision-Makers Overwhelmingly Find Integrated Platforms Provide Effective Security How effective would an integrated security be in delivering a broad variety of cyber security capabilities versus deploying multiple point s from many vendors? Very effective Somewhat effective Neither effective nor ineffective Somewhat ineffective Not effective 2 76% 98% would find an integrated effective Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015 Firms view their security portfolio from a unified perspective. Few debate over the value of an integrated security portfolio. A whopping 98% of respondents believe an integrated security would be more effective in delivering a broad variety of cybersecurity capabilities versus multiple point s (see Figure 4). Seventy-six percent of respondents consider integrated s as very effective in comparison.

8 6 Integrated s can overcome a fragmented approach to security. Fragmented approaches to security present a clear barrier to advanced security techniques, most of which are enabled by consistent big data across security technologies. Advanced analytics (63%), machine learning (5), and encryption (64%) are all technologies that respondents indicated are enabled by integrated security s (see Figure 5). Cloud-based security can leverage data beyond that captured by an individual company to provide even greater security. Respondents clearly look to cloudbased security to deliver crowd-shared threat intelligence (59%), cloud-scale visibility (73%), and advanced anomaly detection based on unsupervised machine learning (55%) (see Figure 5). FIGURE 5 Both Integrated Platforms And Cloud-Security-As-A-Service Solutions Are Capable Of Delivering Advanced Security Functionalities Do you envision the following functionalities being delivered by either an integrated security or a cloud-security-as-a-service? (Select all that apply) Advanced security analytics Other 1% 1% 63% 46% Advanced anomaly detection based on unsupervised machine learning Other 4% 3% 5 55% Advanced anomaly detection based on supervised machine learning Other 5% 1% 5 5 Crowd-shared threat intelligence 46% 59% Strong integration with data security or encryption technology 64% 5 Increased cloudscale visibility 3 73% Software-defined networking or network function virtualization 53% 5 5% 3% 1% 1% Other Other Other Other Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

9 7 Integration is integral when looking at security s. Seventy-four percent of security professionals demonstrate a clear desire for security s to integrate with their existing security technologies (see Figure 6). FIGURE 6 Integration Is Most Important When Considering Platforms With A Community Ecosystem For a that has a community ecosystem, which functionalities would be most important for you? (Rank the top three) Rank 1 Rank 2 Rank 3 Total Integration with existing or other security technology from a variety of vendors 35% 26% 13% 74% Threat intelligence sharing 19% 2 13% 54% Implementation advice or services 15% 13% 21% 49% Value-added applications or s from available 13% 18% multiple vendors APIs or web services you can use for integration and automation 8% 1 18% 16% 47% 38% Troubleshooting 9% 9% 19% 37% Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

10 8 Integrated Security Platforms Offering Cloud Deployment Maximize Value FIGURE 7 Reducing Cost And Enabling Emerging Technologies Drive Adoption Of Cloud-Security-As-A-Service Offerings Security and risk professionals clearly indicated that security protection must be integrated with network controls as part of an easy-to-use. Drivers for SaaS delivery of security technologies include improved security, higher scalability, lower operational overhead, and the need for a thinner client footprint. As a result, organizations adopting integrated security s with cloud deployment options can free up internal resources to focus on other, more critical tasks. 5 Decision-makers in this study echo these benefits, as they indicated that: Cloud deployments reduce cost and enable better security capabilities. Beyond looking for strong integration, decision-makers also seek out cloud deployment models when evaluating security technologies. Reduced cost is a key driver 67% of respondents included it among their top three major goals. These professionals also cited, with impressive numbers, the ability of cloud deployments to enable emerging (but increasingly standard) technologies such as mobile and the Internet of Things (see Figure 7). What are your main drivers when seeking to adopt a cloudsecurity-as-a-service offering? (Rank the top three) Reduce overall cost of security Embrace the new world of mobility, cloud computing, and the Internet of Things Eliminate backhauling traffic to centralized data centers Shift capital expense to operating expense % 14% 14% 17% 11% Allow for elastic provisioning 1 1 to meet fluctuating demand Reallocate my employees to more strategic tasks 9% 16% 14% Rank 1 Rank 2 Rank 3 Total 2 18% 18% 18% 17% 2 67% 64% 47% % Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

11 9 Cloud security-as-a-service offers better security than on-premises hardware or software security offerings. Forty-nine percent of decision-makers stated that a top three major goal for cloud security-as-a-service adoption is gaining better security than on-premises deployments, while 48% said that a top three major goal is for cloud security-as-as-service to secure areas that on-premises deployments cannot such as remote locations, mobile devices, and Internet-of-Things s (see Figure 8). These findings indicate that professionals acknowledge and value that the flexibility and scalability of cloud are truly providing a more secure environment overall. FIGURE 8 Cloud Security-As-A-Service Secures What On- Premises Deployments Cannot What would be your major goals when seeking to adopt a cloud security-as-a-service offering? (Rank the top three) To gain better security than I can achieve with on-premises hardware or software To secure branches, remote locations, mobile devices, and "things" that are difficult to secure with hardware or software Rank 1 Rank 2 Rank 3 Total 19% 17% 13% 17% 16% 15% 49% 48% Safely adopting cloud computing and SaaS or opening up cloud-based social collaboration to increase employee productivity 17% 13%13% 43% Moving security into the cloud in effort to deploy cloud-enabled networking/ software-defined networks 113% 18% 43% To increase business agility 15% 13% 11% 39% To replace and/or consolidate security appliances and software 7% 15% 1 3 To add an additional layer of security on top of what I am already doing 6% 15% 7% 7% 28% To reduce deployment times 5% 5% 17% Source: A commissioned study conducted by Forrester Consulting on behalf of Zscaler, March 2015

12 10 Key Recommendations Forrester s in-depth surveys with security decision-makers yielded several important observations and suggest some guiding principles for effective data security. To maintain customer trust through data security, you should: Make integration and orchestration must-have features for all security technologies in your portfolio. Build your security ecosystem with a constant eye toward integrating s under a central management. Begin to demand an integrated approach, with APIs, from your security vendors, and include the requirement for security as a in your RFP processes. When evaluating new approaches to security, seek out integrated ecosystems, where vendors have already developed integration between their products across a broad range of security capabilities. Also consider managed security service offerings, where service providers are delivering pre-integrated security s. Create a comprehensive data security strategy designed to address all channels and devices used to access sensitive assets. A Zero Trust security architecture has no trusted zones. Remember to include employee- and partner-owned devices, data in the cloud, and encrypted traffic in your plans. Expand the coverage of your next-generation firewalls to include your virtual environments and mobile devices that access cloud resources from off network. Look for endpoint protection s that use dynamic analysis, such as application or process sandbox analysis and user or kernel activity behavior monitoring. Exploit kits allow attackers to mutate and customize malware, making signature-based detection of malicious traffic and payloads ineffective. Detecting these mutating treats requires a wide range of heuristic- and behavior-based analysis approaches. These approaches must take place before attackers reverse-engineer threats and deploy signatures to standard antivirus tools. Take full advantage of cloud-sourced threat intelligence in order to learn from the attacks other organizations experience. Ask your vendors to provide exact details on how they analyze and interpret data. Simply using command and control IP addresses seen by other organizations does not gain much, as each malware variant reports back to a distinct set of command and control servers. Acknowledge that encryption is a two-edged sword. Encryption is a powerful tool to protect data. However, encryption can also hide exfiltration and command and control traffic. Take care to manage encryption keys and the custom root certificates used to examine encrypted traffic.

13 11 Appendix A: Methodology In this study, Forrester conducted an online survey of 130 IT security and strategy decision-makers from companies in the US with at least $250 million in revenue to evaluate the move toward and benefits of integrated security s deployed in the cloud. Questions provided to the participants asked about their strategic IT security priorities, the role of IT in their market positioning and competitiveness, and their perceptions of cloud-based security s. We offered respondents a small incentive, determined by their survey panels, as a thank you for time spent on the survey. We began the study in January 2015 and completed it in March Appendix B: Endnotes 1 Source: Twelve Recommendations For Your Security Program In 2015, Forrester Research, Inc., March 12, Source: Forrester s Targeted-Attack Hierarchy Of Needs: Assess Your Core Capabilities, Forrester Research, Inc., January 7, Source: Prepare For The Post-AV Era Part 2: Layer Your Endpoint Security Tools For Max Protection, Forrester Research, Inc., July 7, Source: Understand The State Of Network Security: 2014 to 2015, Forrester Research, Inc., December 22, Source: The State Of Endpoint Security Adoption 2014 To 2015, Forrester Research, Inc., September 24, 2014.