Enable unprecedented levels of automation and agility with cloud computing solutions.
How cloud-based security innovations support business agility
Cloud security is freeing companies to innovate and manage digital disruption by using cloud-defined security. This Q&A, also available as a podcast, examines how a secure content collaboration services provider removes the notion of organizational boundaries so that businesses can better extend processes. Fewer boundaries and cloud-based security together support transformative business benefits.
Gardner: Daren, what are the top three trends driving your need to extend security and thereby preserve trust with your customers?
The second thing we've seen is compliance. Compliance is a huge issue for most of the major corporations. You have to be able to understand where the data is and who has access to it, and to know who's using it and make sure that they can be completely compliant.
The third thing is primarily around the shift between security inside and outside of the organization. It's been a fundamental shift for us, and we've seen that security has moved from people's trust in their own infrastructure versus using a third party who can provide that security and have a far higher standard, because that’s what they do the whole day, every day. That security shift from on-premises to the cloud is a third big driver for us, and we've seen that in the market.
Gardner: You're in a unique position to be able to comment on this. Tell us about Intralinks, what the company does, and why security at the edge is part of your core competency.
We have the ability to actually lock that data down, control that, and put the governance and the compliance around that to secure that data, know where the high-value intellectual property (IP) is, who has access to it, and then be able to even share as well. And, if you’re in a situation of losing data, revoke access to someone who has left the organization.
Gardner: And these are industries that have security as a paramount concern. So, we’re talking about finance and insurance. Give us a little bit more indication of the type of data we’re talking about.
Glenister: It's anybody with high-value IP or compliance requirements—banking, finance, healthcare, life sciences, for example, and manufacturing. Even when you’re looking at manufacturing overseas and you have IP going over to China to manufacture your product, your plans are also being shared overseas. We've seen a lot of companies now asking how to protect those plans and, therefore, protect IP.
Steffen: I don't know exactly what’s happened, but you're absolutely right; that flip is going on. We've done a lot of research recently and shown that when you’re looking at inherent barriers going to a cloud solution, security and compliance considerations are always right there at the top. We commissioned the study through 451 Research, and we kind of knew that’s what was going on, but they sure nailed it down, one and two, security and compliance, right there.
They can’t just "third party" their security requirements away. That’s not going to cut it with all the regulators that are out there, but we have solutions. HPE has a solution, Intralinks has solutions, a lot of third-party providers have solutions that will help the customer address some of those concerns, so those guys can actually sleep at night.
Gardner: We're hearing so much about digital disruption in so many industries, and we're hearing about why IT can’t wait, IT needs to be agile and have change in the business model to appeal to customers to improve their user experience.
It seems that security concerns have been a governor on that. "We can’t do this because 'blank' security issue arises." It seems to me that it's a huge benefit when you can come to them and say, "We're going to allow you to be agile. We're going to allow you to fight back against disruption because security can, in fact, be managed." How far are we to converting disruption in security into an enabler when you go to the cloud?
Change management required
Enablement of the business is actually driving the need to go to the cloud, and obviously will drive security around that. To Chris’s point a few minutes ago, not all vendors are the same. Some vendors are in the cloud and they're not as secure as others. People are looking for trusted partners like HPE and Intralinks, and they are putting their trust and their crown jewels, in effect, with us because of that security. That’s why we work with HPE, because they have a similar philosophy around security as we do, and that’s important.
Steffen: The only thing I would add to that is that security is not only a concern of the big business or the small business; it’s everybody’s concern. It’s one of those things where you need to find a trusted provider. You need to find that provider that will not only understand the requirements that you're looking for, but the requirements that you have.
This is my opinion, but when you're kicking tires and looking at your overall compliance infrastructure, there's a pretty good chance you had to have that compliance for more than a day or two. It’s something that has been iterative; it may change, it may grow, whatever.
So, when you're looking at a partner, a lot of different providers will start to at least try to ensure that you don’t start at square one again. You don’t want to migrate to a cloud solution and then have all the compliance work that you’ve done previously just wiped away. You want a partner that will map those controls and that really understands those controls.
Perfect examples are in the financial services industry. There are 10 or 11 regulatory bodies that some of the biggest banks in the world all have to be compliant with. It’s extremely complicated. You can’t really expect that Big Bank 123 is going to just throw away all that effort, move to whatever provider, and hope for the best. Obviously, they can’t be that way. So the key is to take a map of those controls, understand those controls, then map those controls to your new environment.
Gardner: Let’s get into a little bit of the how ... how this happens. What is it that we can do with security technology, with methodologies, with organizations that allow us to go into cloud, remove this notion of a boundary around your organization and do it securely? What’s the secret sauce, Daren?
Glenister: One of the things for us, being a cloud vendor, is that we can protect data outside. We have the ability to actually embed the security into documents wherever documents go. Instead of just having the control of data at rest within the organization, we have the ability to actually control it in motion inside and outside the perimeter.
You have the ability to control that data, and if you think about sharing with third parties, quite often people say, "We can’t share with a third party because we don’t have compliance, we don’t have a security around it." Now, they can share, they can guarantee that the information is secure at rest and in motion.
Typically, if you look at most organizations, they have at-rest data covered. Those systems and procedures are relative child’s play. But that’s been covered for many years. The challenge is that it's newly in motion. How do you actually extend working with third parties and working with outside organizations?
Glenister: Historically, security has always been, "No, you can’t do this; let’s stop." If you look in a finance environment, it’s stop using thumb drives, stop using emails, stop using anything rather than ease of solution. We've seen a transition. Over the last six months, you're starting to see a transition where people are saying, "How do we enable? How do we get people to control them?" As a result of that, you see new solutions coming out from organizations and how they can impact the bottom line.
Gardner: Behavior modification has always been a big part of technology adoption. Chris, what is it that we can do in the industry to show people that being secure and extending the security to wherever the data is going to go gives us much more opportunity for innovation? To me, this is a huge enticing carrot that I don’t think people have perhaps fully grokked.What is cloud security? What does it mean to have defense in depth? What does it mean to have a matured security policy vision?
Steffen: Absolutely. And the reality of it is that it’s an educational process. One of the things that I've been doing for quite some time now is trying to educate people. I can talk with a fellow CISSP, and we can talk about Diffie-Hellman encryption and I promise that your CEO does not care, and he shouldn’t. He shouldn’t ever have to care. That’s not something that he needs to care about, but he does need to understand total cost of ownership (TCO), he needs to understand return on investment (ROI). He needs to be able to go to bed at night understanding that his company is going to be OK when he wakes up in the morning and that his company is secure.
It’s an iterative process; it’s something that they have to understand. What is cloud security? What does it mean to have defense in depth? What does it mean to have a matured security policy vision? Those are things that really change the attitudinal barriers that you have at a C-table that you then have to get past.
Security practitioners, those tinfoil-hat types—I classify myself as one of those people, too—truly believe that they understand how data security works and how the cloud can be secured, and they already sleep well at night. Unfortunately, they're not the ones who are writing the checks.
It's really about shifting that paradigm of education from the practitioner level, where they get it, up to the CIO, the CISO who hopefully understands, and then up to the C-table and the CFO making certain that they can understand and write that check to ensure that going to a cloud solution will allow them to sleep at night and allow the company to innovate. They'll take any security as an enabler to move the business forward.
Steffen: I couldn’t agree more. It’s a unique situation. Having your—again, I'll use the term—tinfoil-hat people talking to your C-table about security. They're big and scary, and so on. But the reality of it is that it really is critically important that they do understand the value that security brings to an organization.
Going back to our original conversations, in the last six to 12 months you're starting to see that paradigm shifted a little bit, where C-table executives aren’t satisfied with check-box compliance. They want to understand what it takes to be secure, and so they have experts in-house and they want to understand that. If they don’t have experts in-house, there are third-party partners out there that can provide that amount of education.
Gardner: I think it’s important for us to establish that the more secure and expert you are at security the more of a differentiator you have against your competition. You're going to clean up in your market if you can do it better than they can.
Technology as a differentiator
The credit reporting agency that I worked for a long time ago was one of those innovators, and people thought we were nuts for doing some of the stuff that we are doing. Years later, everybody is doing the same thing now.
It really can set up those things. Security is that new frontier. If you can prove that you're more secure than the next guy, that your customer data is more secured than the next guy, and that you're willing to protect your customers more than the next guy, maybe it’s not something you put on a billboard, but people know.
Would you go to retailer A because they have had a credit card breach or do you decide to go retailer B? It's not a straw man. Talk to Target, talk to Home Depot, talk to some of these big big-box stores that have had breaches and ask how their numbers looked after they had to announce that they had a breach.
Gardner: Daren, let’s go to some examples. Can you think of an example of Intralinks and a security capability that became a business differentiator or enabler?
Glenister: Think about banks at the moment, where they're working with customers. There's a drive for security. Security people have always known about security and how they can enable and protect the business.
But what’s happening is that the customers are now more demanding because the media is blowing up all of the cyber crimes, threats, and hacks. The consumer is now saying they need their data to be protected.
A perfect example is my daughter, who was applying for a credit card recently. She's going off to college. They asked her to send a copy of her passport, Social Security card, and driver’s license to them by email. She looked at me and said, "What do you think?" It's like, "No. Why would you?"
People have actually voted, saying they're not going to do business with that organization. If you look in the finance organizations now, banks and the credit card companies are now looking at how to engage with the customer and show that they have been securing and protecting their data to enable new capabilities like loan or credit card applications and protecting the customer’s data, because customers can vote with their feet and choose not to do business with you.
So, it’s become a business enabler to say we're protecting your data and we have your concerns at heart.
Gardner: And it’s not to say that that information shouldn’t be made available to a credit card or an agency that’s ascertaining credit, but you certainly wouldn’t do it through email.
Cultivating a security awareness culture
Steffen: We've talked about security awareness, the security awareness culture, and security awareness programs. If you have a vendor management program and you’re subject to a vendor management from some other entity, one of the things they also would request is that you have a security awareness program.
Even five to seven years ago, people looked at that as drudgery. It was the same thing as all the other nonsensical HR training that you have to look at. Maybe, to some extent, it still is, but the reality is that when I've given those programs before, people are actually excited. It's not only because you get the opportunity to understand security from a business perspective, but a good security professional will then apply that to, "By the way, your email is not secured here, but your email is not secured at home, too. Don’t be stupid here, but don’t be stupid there either."
We're going to fix the router passwords. You don’t need to worry about that, but you have a home router, change the default password. Those sound like very simple straightforward things, but when you share that with your employees and you build that culture, not only do you have more secure employees, but then the culture of your business and the culture of security changes.
Glenister: Security is a culture. I look at a lot of companies for whom we do once-a-year certification or attestation, an online test. People click through it, and some may have a test at the end and they answer the questions and that’s it, they're done. It's nice, but it has to be a year-round, day-to-day culture with every organization understanding the implications of security and the risk associated with that.
If you don’t do that, if you don’t embed that culture, then it becomes a one-time entity and your security is secure once a year.
Steffen: We were talking about this before we started. I'm a firm believer in security awareness. One of the things that I've always done is take advantage of these pretend Hallmark holidays. The latest one was Star Wars Day. Nearly everybody has seen Star Wars or certainly heard of Star Wars at some point or another, and you can’t even go into a store these days without hearing about it.
For Star Wars Day, I created a blog to talk about how information security failures led to the downfall of the Galactic Empire.
It's still a little iterative thing; it’s not going to happen overnight. It sounds silly talking about information security failures in Star Wars, but those are the kind of things that engage people and make people understand more about information security topics.
Looking to the future
Steffen: The one that immediately comes to mind for me—Intralinks is actually starting to do some of this—is you're going to see niche cloud. Here's what I mean by niche cloud. Let’s just take some random regulatory body that's applicable to a certain segment of business. Maybe they can’t go to a general public cloud because they're regulated in a way that it's not really possible.
What you're going to see is a cloud service that basically says, "We get it, we love your type, and we're going to create a cloud. Maybe it will cost you a little bit more to do it, but we understand from a compliance perspective the hell that you are going through. We want to help you, and our cloud is designed specifically to address your concerns."
When you have niche cloud, all of a sudden, it opens up your biggest inherent barriers. We’ve already talked about security. Compliance is another one, and compliance is a big fat ugly one. So, if you have a cloud provider that’s willing to maybe even assume some of the liability that comes with moving to their cloud, they're the winners. So let’s talk 24 months from now. I'm telling you that that’s going to be happening.
Gardner: All right, we'll check back on that. Daren, your prediction?
Glenister: You are going to see a shift that we're already seeing, and Chris will probably see this as well. It's a shift from discussions around security to transformation.
You'll see that impacting two ways. One is going to be new business opportunities, so revenue coming in, but it’s also going to be streamlined in the internal processes, so making things easier to do internally. And you'll see a transformation of the business inside and outside. That’s going to drive a lot of new opportunities and new capabilities and innovations we've never seen before.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.