RUNNING WITH SCISSORS: The Life of a CIO in the Cloud Age
Consider this scenario: another corporation suffers a spectacular attack and the unauthorized release of customer data and credit card information. The CIO is awoken by her PR team: the media is demanding answers on the impact of the breach.
It seems the CIO was the last to know. How did this happen?
It happened because enterprise IT is undergoing a dramatic change, far too often without the complete knowledge of the CIO. Lines of business are taking IT into their own hands, outsourcing applications and services, oftentimes without informing the CIO or involving enterprise IT.
The Best Intentions
There’s a drumbeat in the distance—marching closer and closer: the arrival of cloud-based enterprise software services. That inevitable arrival is keeping CIOs awake at night, because managing the security of these cloud-based services can be exhausting, and expensive. And that’s when you know about their existence!
While cloud-based services bring many operational efficiencies and savings, from a security perspective the challenges are substantial. Consider the top two:
1. Shadow IT: enterprise services operating outside enterprise control; and
2. Visibility: what is happening out in the cloud
Shadow IT and the Role of the CIO
Cloud technologies have made it possible for lines of business to circumvent internal security controls. Lines of business are buying their own IT services from cloud providers and dumping enterprise assets and their associated data into systems far beyond the traditional control of the CIO–from online data sharing sites like Dropbox or Google Drive, to sales management services (Salesforce.com) or human resources (SAP.com).
Whether in a corporate DC, SaaS or PaaS cloud, CIOs need to have a single dashboard where events can be viewed side-by-side
Often these services are purchased without oversight from the CIO. In cases where the CIO knows about the procurement, she is often powerless to provide any security conditions.
CIOs are being hamstrung when it comes to security, but are still held accountable. They have to wake up to calls from the press and stakeholders demanding answers, and sometimes have to fall on their swords—over a breach they were powerless to manage.
Poor Visibility in the Clouds
The “Cloud Age” brings unprecedented visibility problems. CIOs are going from watching a single physical/logical property–the corporate data centers (DCs)–to watching potentially dozens, many far outside their reach.
In the “old days” CIOs could manage their security infrastructure relatively easily: their firewalls, IPS and security dashboards were all dedicated to their enterprise.
But what about in SaaS environments that provide basic reporting? Or in a PaaS environment where consultants pieced together some ad hoc service, then vanished? Trying to gather security logs from these sources can be hugely frustrating.
As a result, many CIOs are increasingly inclined to abdicate security accountability for assets outside the enterprise perimeter. They may recommend policies or monitoring, but are refusing to accept accountability for something over which they have no control.
Putting Down the Scissors: Antidotes to Shadow IT and Visibility
So what should a CIO be doing to enable the enterprise? First, for shadow IT, change how you’re looking at your traffic. Most organizations apply firewall filtering on the traffic entering the enterprise domain, but not on traffic leaving it. This was common because firewalls just didn’t have the horsepower to handle the traffic passing both ways. But outbound traffic can reveal shadow IT in its initial testing phases, ahead of full operational functionality. You can also watch for changes in destination traffic, which could indicate the compromise of an internal resource.
Figure 1 above is a good example of the security benefits of monitoring outbound traffic. In this case, a small cosmetics company saw a 5-fold increase in traffic from their cloud-based web property over 2 days when the property was compromised and used as a relay for a malware campaign.
Second, look for interoperable security tools and views. Whether in a corporate DC, SaaS or PaaS cloud, CIOs need to have a single dashboard where events can be viewed side-by-side. There are different ways to accomplish this: from a single vendor that can support a wide range of DC and cloud platforms and report to a unified console, to ingesting logs into event management platforms designed to work with data from many different sources.
In the case of SaaS solutions, though, the firewall infrastructure and those associated logs and events may simply not be available from the service provider. Under these conditions, the ability to combine outbound traffic events with inbound events (from the DC and PaaS environments) is the compensating solution.
These antidotes can only be effective if they are available from systems that work together and allow decision making to be applied according to a pre-set policy. With security skills in serious shortage, building more complex systems that require scarce skills are not helping today’s CIO.
Sleeping Well at Night
The “cloud” is multi-faceted and can be infuriating for a CIO to control. Business units launch cloud strategies without checking with the CIO, then expect the enterprise IT organization to secure those cloud assets and be accountable for them.
The solution lies in monitoring traffic moving in all directions, buttressed by intelligence, and awareness of what is where on the internet. Solutions that can span DC and cloud technologies and provide unified views and automation may just let the CIO leave her phone on silent at night.