Information Security, IT Security, Technology Security, IT Risk and Security and IT Risk Services are all names that organisations use to define a functional unit within their enterprise that is responsible for the security, integrity and operational assurance of their information assets and operating environment.
With the rise of cyber-attacks, high profile and targeted penetrations, unsubstantiated rumours of state sponsored cyber terrorism as discussed in Mandiant’s cyber security research report and most recently, Julia Gillard our Prime Minister announced the unveiling of a new national security strategy where protecting sensitive computer networks in government and the private sector would be a top priority.
In the US, amongst multiple cyber security initiatives, the one that is not much talked about but of interest is the secret US cyber security program to protect the power grid—being spearheaded by the National Security Agency dubbed Perfect Citizen. It is a program that is looking to develop technology that protects the power grid from cyber attacks. Publicly available information talks about the program primarily being a vulnerabilities assessment and associated protection capabilities development program. In essence, isn’t that what security is all about, knowing your weaknesses and addressing them before others find out. When Australia’s Defense Signals Directorate (DSD) published their Top 35 cyber security mitigation strategies focus was on vulnerabilities assessment and proactive management of emerging threats.
All research currently being published about trends for security in 2013 focuses on the following 5 issues:
1. Rise of cyber attacks and state sponsored challenges
2. Attacks aimed at critical infrastructure
3. Rise of BYOD; Bring Your Own (Device, Disaster, Downfall)
4. Data breaches across the enterprise for data assets hosted internally and at cloud providers
5. Adoption of cloud services without adequate internal control measures.
So you must be wondering what does all of this have to do with maturing security services and establishing a “Cloud Broker Model”?
My view is that investment in security (and its various services to the business) will always continue, sometimes more sometimes less, depending on the economy and the tendency of the organisation to spend on maintaining or developing the capability. This is, in turn, dependent on multiple factors external to the organisation, and as such, will also depend on the capability of various teams to respond to the businesses demand—and the turnaround time in which these services might be required to be developed and implemented.
Requirements to do more, relatively quickly will only increase. Appropriate responses and management of business demand for security services is the key to success.
With the rise of cloud-based services and the maturity of Security Software as a Service (SSaaS), if management believes that it can save money by out/off-or-cloud sourcing a particular capability they will. This is especially true in the security tools and technology spectrum where vendors like HP, IBM, Symantec, McAfee, Cisco and many more now have services (with varying degrees of maturity) that profess to do it better, faster and cheaper than an onsite, insourced setup.
Whilst not all of this is true, there are more than enough case studies out there to suggest otherwise. Like all IT services, security is not immune to being “aaS’ed”, cloud or otherwise—it is only a matter of time. As professionals and security leaders, what we can do is be ready for when it happens—to support it and have a strategy in place to make it a success.
With that as my rather long-winded introduction, I am ultimately trying to say that you should have a security services strategy. Set it up like a services broker where you are the one stop shop for all capability insourced, outsourced or cloud sourced.
Be a true business partner who looks for the most optimum solution for the business, and has progressed its thoughts from “everything is required to be in-house”, to “source right to manage risk and reputation”.
Cloud Services Brokers (CSBs) or Cloud Service Brokerage (CSB) is (in my view) the next phase of maturity that is required by IT service functions in the area of infrastructure and information security technology implementations.
A “Cloud Brokerage or a Cloud Broker”, by definition, is a function that links customers/end users to cloud service providers. They assist with ascertaining business demand, business requirements, recommending the appropriate platform or combination of platform and applications sourced through multiple cloud providers to best address demand.
Now some would say that is what Enterprise Architects or Architects do. What I argue is that it is time the whole of IT—and especially the security functions—start to think and operate like that. A recent Gartner report outlined three categories of cloud brokers, which they believe will enhance adoption of cloud services, they are:
1. Cloud Service Intermediation: An intermediation broker provides value added services on top of existing cloud platforms, such as identity or access management capabilities.
2. Aggregation: An aggregation broker provides the “glue” to bring together multiple services and ensure the interoperability and security of data between systems.
3. Cloud Service Arbitrage: A cloud service arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from.
Cloud Services Brokers will broker relationships between an end user/consumer and a cloud service provider. I believe the IT services function—and more so the information security function—within an organisation, should look to pilot these roles because the information security function is optimally placed to articulate compliance requirements, risk profile and has an end to understand the business process and information flows. This provides them with a unique advantage to assist the business in the role of a “Cloud Broker” whilst ensuring the environment is secure with an adequate amount of internal and cloud controls in place.