Consistency and Cost Savings from Cloud-Based Security

Bob Brandt is an information security expert, most recently as the Global Security Architect at 3M. While at 3M, he focused on integration efforts for 3M application services across cloud and mobile platforms. Bob also devoted significant effort to improving 3M’s malware protection capabilities. He was on the governing body for several Twin Cities CISO Summits and co-chaired the Twin Cities chapter of the Identity Management Meetup for several years. Follow Bob on Twitter: @bobbrandt.

OPAQ: Which cyber security threats seem to be foiling enterprises today, and the vendors that serve them?

BB: The human factor is still a weak point. There are improvements that could be made to phishing defenses, as that is one of the main channels through which these attacks are successful. Phishers only need a low hit rate to be successful. However, a cloud service can deliver a consistent way of looking at data from all the various usage patterns. For example, every app has a Web version and an app for mobile, and those are distinctly different deployment patterns. All the traffic, whether it comes from a WiFi or wired or mobile network goes through the same cloud service on its way to the application, and this enables companies to provide consistent security. It’s also more cost-effective to secure your applications through a cloud service instead of using several different technologies.

Another key threat where companies are falling down is regarding the privacy, governance and risk around data. If you had controls on the data it wouldn’t matter if someone stole the whole database, because they couldn’t crack open the encrypted data.

OPAQ: If you could start a company in the security industry today, what would be the focus?

BB: I’d probably work on a service that applied and enforced controls on data, such as authorizing people to access data and tracking that. For instance, in a hospital environment, the software would track data on who looked at patient data and when, because there should be very few people doing that. Even those who are authorized should have a reason for accessing your personal data. If the fields are naturally encrypted at the data layer, it would be hard for hackers to use it. Axiomatics and BigID are two of the companies working on this today.

OPAQ: Are there big differences in how midsize to large enterprises should approach security compared with smaller companies? Especially since smaller companies can still have large databases of sensitive information of value to hackers?

BB: First off, I’ll say that the cloud is a great equalizer. I think everyone should use cloud services for security. Large enterprises might have a few experts on staff to keep vendors honest and to customize the solution if needed. Smaller companies might rely more on a managed service provider as they don’t want to pay for IT staff, but on their own, they can’t keep up with changing security needs and threats. The differences are mainly on how to staff for security. The functionality is about the same, regardless of company size, and most of it should run in the cloud. Another advantage of the cloud is if you are running applications in an outside service, your business benefits from the traffic data of thousands of companies. An event like a single packet doesn’t mean much, but across all those companies it does. The cloud providers can see patterns from the data which can result in early detection of the threat.

OPAQ: Security skills are at a premium. How do you think companies should best handle this challenge moving forward?

BB: People still tend to talk mainly about firewalls and hackers, but that problem will be solved. In the future the skills will be less about malware analysis and more related to application security and integration, digital signatures, and connecting clouds securely. If we just built security into transaction APIs, the noise of malware would go down substantially. Increasingly, security is becoming automated. You can get a firewall administrator from a vendor’s solution.

There are threat analytics services which are largely automated and look for patterns in big data sets. These services can tell a customer when an attack might be coming—the kind of analysis that a customer would never be able to see just by looking at its own data.