Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization Neil MacDonald VP and Gartner Fellow Gartner Information Security, Privacy and Risk Research Twitter @nmacdona 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Traditional IT Models Are Strained: Increasingly We Don't Own or Control Much of IT Inflection Points in Our Business and IT Infrastructure: Socialization and Collaboration Mobilization Consumerization Virtualization Cloudification Industrialization of Hackers Nationalization of Hackers
Leading to Several Key Shifts in IT The Need for Speed Software Defined Everything The Post-Signature Era Visibility & Big Data at the Heart of Next Generation IT Architectures A Shift up the Stack to Information
The Transformation of IT Drivers Identify Massive Scale Experimentation Cost Tech Competence Mobility Agility Shared Data Consumerization New Apps Virtualization 68% penetrated Cloud $9 billion IaaS Private Cloud 35% deployed Hybrid Cloud 72% pursuing Hybrid IT 74% pursuing Fear Process Orgs Technology Security People Culture Risk Compliance Politics Funding Inhibitors Mitigate
The Need for Speed Ultimately, the primary business case for cloud computing will often be speed for the business. Windows of opportunity: In a connected world, opportunities come and go, fast. Consumerization of expectation: The Internet has created an expectation of immediate gratification even in B2B relationships. Fail faster to win: You can't win big unless you experiment eliminate the barriers to experimentation. "My business doesn't need speed": Yes they do either you didn't meet their needs, or they don't understand their needs yet help them.
The Need for Speed Improve Quality of Service 12% Defend IT 7% Reduce Costs 3% Business Alignment 10% Agility/ Speed 66% Don't Know 2% What is your main driver in moving to private clouds? Gartner Data Center Conference Poll, December 2013 (N = 87) Challenges: Working with users to build a business case Building a business case based on speed the value of "faster" The value of experimentation
Private Cloud Progress 13% No plans yet 52% Planning 30% Putting plans together, unsure when will deploy How far along are you in a private cloud computing strategy? 22% Putting plans together, deployment by end of 2014 Gartner Data Center Conference Poll, December 2013 14% Pilot deployment in place (N = 71) 35% Deployed 17% A full-service deployment is in place (production or dev./test) 4% Several services are in place, fairly mature
Private Cloud Computing Challenges Message: Technology is one of the easiest challenges Management and operational processes First Second Third Culture Service description and self-service interface Funding/Chargeback model Business/Customer relationship Politics Security Technology What are your three biggest challenges in creating a private cloud computing service? Gartner Data Center Conference Poll, December 2013 (N = 92/92/89)
Software Defined Everything : SDx The Data Center Becomes Programmable Software-defined Networking IaaS OpenStack Software-defined Storage Software-defined Security Softwaredefined Everything Fabric-based Computing Real-time Infrastructure Software-defined Data Center Integrated Systems Open Compute Project
Detection of Advanced Targeted Attacks (Advanced Persistent Threats) Model Observed = bad = bad Understand what "bad" looks like, and look for similarities: Antivirus Intrusion prevention systems Thresholds exceeded Understand what "good" looks like, and look for meaningful differences: Baselining Anomaly detection Predictive failure analysis Increasingly sophisticated models of both "good" and "bad" are needed. Better 2014 Gartner, Inc. and/or its models affiliates. All rights reserved. require more data.
Complete Protection = Blocking/Prevention & Detection/Response Block and Prevent Detect and Respond
Complete Protection Requires Comprehensive Adaptive Protection Predictive Preventative Adaptive Retrospective Detective
With a Core Based on Continuous Monitoring and Analytics Predictive Preventative Continuous Monitoring and Analytics Retrospective Detective
Full Lifecycle Protection Efforts: Before, During and After Attacks Predictive Preventive Inline, real time (subsecond) Adaptive Retrospective Postincident (minutes to months) Detective Near real time (seconds to minutes)
The Adaptive Security Architecture Proactive Exposure Assessment Predict Attacks Baseline systems Remediate/ Make Change Design/ Model change Investigate/ Forensics Continuous Monitoring and Analytics Harden and Isolate Systems Divert Attackers Contain Incidents Prevent Incidents Detect Incidents Confirm and Prioritize
Big Data is Just Big Noise. Seek Intelligence. Context-Aware Intelligence Model, Simulate, Act, Protect Community Context Patterns, meaningful anomalies Knowledge Analyze Continuous Monitoring and Analytics Dependencies, relationships Information Collect, Correlate Big Data Data Data Data Data Logs, Events, Costs, Usage, Attacks, Breaches
Operations and Security Problems Are Becoming Big Data Analytics Problems Root-cause analysis Improved incident response Predictive failure analysis Capacity forecasting Predictive modeling of change Service governor for highly automated infrastructure Behavioral performance monitoring of applications Business value mapping Intelligent sourcing decisions
You Can t Secure What You Don t Know About Source: Netskope
Cloud: Increased Monitoring to Compensate for the Loss of Direct Control Connectedness to compensate for the loss of intimacy (control): Application instrumentation Agent-based, agentless and injected monitoring Virtualized probes Introspection Activity monitoring of applications, network, database, and users Cloud-based monitoring "Fly by Wire"
IT s Control Point for the Cloud: Cloud Access Security Brokers Cloudbased Services Context Delivered as: Physical appliance Traditional software Virtual appliance Cloud-based security as a service Consumers of Cloud-based Services Operational: Caching Policy Decisions Bandwidth optimization Service balancing Mobile device profiling Mobile access policy Security: Identity federation Access control Discovery Logging/Monitoring Alerting API enforcement Encryption Tokenization DLP Malware filtering Risk scoring
Context-aware Information Protection: SaaS Encryption Gateways and Data Tokenization Name = Bob French Name = Sam King Name = cxwk bdkwg Name = mkeo jd8bv Examples of Providers: CipherCloud Navajo Systems (acquired by salesforce.com) PerspecSys Vaultive (Office 365 first, expanding) Challenges: SaaS-specific adapters Encryption versus tokenization Key management, mapping Preserving indexing and search Preserving numeric search Preserving numeric calculations If they don't have your key, they don't have your data.
Information Security is not Control: Confusing the Means With the End We control what we can, not what we should "Information Security": Confidentiality Integrity = Availability Authenticity Possession Utility Lockdown In Static Business and IT Infrastructures, Control was a Proxy for Trust
Move up the Stack to Understand and Protect Applications and Information People Processes Information Top down informationand process-centric; "shareability" Applications & Services Workspace OS Network Hardware What applications support which processes? Which applications hold what information? Which information is most sensitive? Clear application owner? Information owner? DLP should be a process not a product Unstructured data is a blind spot Bottom up device and OS fixation; "lockdown"
A Shift up the Stack to Protect Information By 2017, 40% of Global 1000 organizations will have aligned both their information management governance and information security governance programs..
Paradigm Shifts in Information Security Old Mindset Signatures Point solutions Fixed perimeters Ownership = trust Security boxes Security solution silos Manual policy config Block and prevent Incident response Protect devices/nws New Realities Algorithms Platforms that correlate & share Adaptive perimeters Reputation services Security software, some in hw Security as an adaptive system Security automation Detect and Respond Continuous response Protect information
The Bottom Line The Nexus of Forces continues to drive change and create new opportunities. Cloud is becoming a mainstream computing style and delivery option with hybrid cloud, cloud brokerage and new delivery, management and security options accelerating adoption. The Data Center is Being Transformed The Nexus of forces is creating a need for speed, create demand for advanced programmable infrastructure and services that can execute at webscale and support new client/cloud application models and the personal cloud. Big Data and Analytics will be at the core of the next generation data center, powering IT and security analytics use cases. Information Protection is Key and the needs of information management governance and information security will converge
Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization Neil MacDonald VP and Gartner Fellow Gartner Information Security, Privacy and Risk Research Twitter @nmacdona 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."