Consistency and Cost Savings from Cloud-Based Security

Bob Brandt is an information security expert, most recently as the Global Security Architect at 3M. While at 3M, he focused on integration efforts for 3M application services across cloud and mobile platforms. Bob also devoted significant effort to improving 3M’s malware protection capabilities. He was on the governing body for several Twin Cities CISO Summits and co-chaired the Twin Cities chapter of the Identity Management Meetup for several years. Follow Bob on Twitter: @bobbrandt.

OPAQ: Which cyber security threats seem to be foiling enterprises today, and the vendors that serve them?

BB: The human factor is still a weak point. There are improvements that could be made to phishing defenses, as that is one of the main channels through which these attacks are successful. Phishers only need a low hit rate to be successful. However, a cloud service can deliver a consistent way of looking at data from all the various usage patterns. For example, every app has a Web version and an app for mobile, and those are distinctly different deployment patterns. All the traffic, whether it comes from a WiFi or wired or mobile network goes through the same cloud service on its way to the application, and this enables companies to provide consistent security. It’s also more cost-effective to secure your applications through a cloud service instead of using several different technologies.

Another key threat where companies are falling down is regarding the privacy, governance and risk around data. If you had controls on the data it wouldn’t matter if someone stole the whole database, because they couldn’t crack open the encrypted data.

OPAQ: If you could start a company in the security industry today, what would be the focus?

BB: I’d probably work on a service that applied and enforced controls on data, such as authorizing people to access data and tracking that. For instance, in a hospital environment, the software would track data on who looked at patient data and when, because there should be very few people doing that. Even those who are authorized should have a reason for accessing your personal data. If the fields are naturally encrypted at the data layer, it would be hard for hackers to use it. Axiomatics and BigID are two of the companies working on this today.

OPAQ: Are there big differences in how midsize to large enterprises should approach security compared with smaller companies? Especially since smaller companies can still have large databases of sensitive information of value to hackers?

BB: First off, I’ll say that the cloud is a great equalizer. I think everyone should use cloud services for security. Large enterprises might have a few experts on staff to keep vendors honest and to customize the solution if needed. Smaller companies might rely more on a managed service provider as they don’t want to pay for IT staff, but on their own, they can’t keep up with changing security needs and threats. The differences are mainly on how to staff for security. The functionality is about the same, regardless of company size, and most of it should run in the cloud. Another advantage of the cloud is if you are running applications in an outside service, your business benefits from the traffic data of thousands of companies. An event like a single packet doesn’t mean much, but across all those companies it does. The cloud providers can see patterns from the data which can result in early detection of the threat.

OPAQ: Security skills are at a premium. How do you think companies should best handle this challenge moving forward?

BB: People still tend to talk mainly about firewalls and hackers, but that problem will be solved. In the future the skills will be less about malware analysis and more related to application security and integration, digital signatures, and connecting clouds securely. If we just built security into transaction APIs, the noise of malware would go down substantially. Increasingly, security is becoming automated. You can get a firewall administrator from a vendor’s solution.

There are threat analytics services which are largely automated and look for patterns in big data sets. These services can tell a customer when an attack might be coming—the kind of analysis that a customer would never be able to see just by looking at its own data.

ISE® Northeast Forum Recognizes OPAQ Customer for Innovative Security Project

We’re excited to announce that one of our customers has been selected as a nominee for the 2017 ISE® Northeast Project Award. The nomination is based on the security achievements of our customer Sandy Alexander, a midsize marketing communications company that provides an array of services including CG studio services, digital printing, direct mailing, data driven marketing solutions, and retail visual merchandising.

Here’s the background on Sandy Alexander’s security project with OPAQ:

The company, which devotes 20% of its IT budget toward security, had been using a managed security service provider for branch office security management. While using a MSSP was a sensible approach to supplement Sandy Alexander’s small security staff, the benefits were not adding up. Justin Fredericks, the company’s IT director, says he was frustrated with the MSSP’s service quality and response time. He started looking for a new solution that would connect and secure its branch offices and vendors in a way that was less costly and complex, and ultimately more secure.

Sandy Alexander’s internal IT operations have dramatically improved using OPAQ’s centralized, automated security-as-a-service solution.  “My team no longer has to think about what policies are up on one site versus the other, or which IP addresses or VPN tunnels are where,” Fredericks says. “We have complete visibility and the ability to control these policies and rules across the entire environment on one dashboard.” He predicts that the company will save money, over time, compared with the MSSP.

Some details and benefits of the project include:

  •  OPAQ’s solution was layered on top of the company’s IT infrastructure, including several branch offices and sites of its vendors including data centers and manufacturing providers. The integration is deployed over redundant VPN connections. This was accomplished in one day!
  • The OPAQ 360 platform gives the IT department a central portal/dashboard to streamline policy enforcement, view status and alerts, manage threats and monitor all activity across its network.
  • The company is now obtaining complete security coverage over its IT infrastructure from one source: firewalls, intrusion and malware prevention, logging, reporting, analytics, and Distributed Denial of Service (DDOS) protection.
  • A distributed, branch office-based approach to security has now been replaced with a centralized system; that means less complexity for IT and better visibility and control over the network and all users.


The Information Security Project of the Year Award Program Series has been running for more than 10 years now, and winners will be announced at the ISE® Northeast Forum and Awards on October 11, 2017 in New York City.


Michael Suby: Using Automation and Assessments to Fight New Threats


Michael Suby is VP of Research at Stratecast, a division of Frost & Sullivan. Suby oversees the business operations of Stratecast and its research direction and serves as an analyst in secure networking. Suby spent 15 years in the communications industry with AT&T and Qwest Communications in a range of managerial, financial, and operational roles.

OPAQ: What are the latest advancements in network security technologies for the enterprise?

MS: The new technologies focus on greater detection with greater speed and certainty and the ability to respond with greater speed and precision. We are also seeing detection-less preventive mechanisms which incorporate signals and pattern matching to block malware. This is important because with zero day and highly customized malware, there is an increasing chance that we will get hit by malware which hasn’t been seen before so detection technologies are not as effective. Finally, we are seeing more interest in isolation techniques. If we can isolate the endpoint or use virtualized containers on the device inside a web session, we can prevent the propagation of malware to other devices.

OPAQ: Have advancements in security automation been helpful to the security industry and if so how?

MS: Security vendors are improving automation in their products so users can manage the security systems more efficiently. Incident detection response tools and event management tools are some of the systems which commonly embrace automation today. Automation is important in security because of the increasing security technology sprawl. There are more apparatuses to manage, greater IT footprint in terms of devices, hardware, networks, Internet of Things. Meanwhile the number of security professionals needed far outstrips supply and the cost of that talent keeps going up. So automation helps orchestrate work across the various technologies and can reduce the amount of mundane activities. This enables network security people to take their talent and apply it to the highest priorities first. Automation is also important because it helps speed up the time to detect and respond to events.

OPAQ: What should heads of security consider when making plans for their budgets in the coming 12 months?

MS: With all of the recent publicity around ransomware, we know that the current technologies won’t always work as needed. Many companies have a lot of gaps and vulnerabilities which are not being addressed and which create opportunities for ransomware writers to exploit. Yet budget planning is not just about buying new technology but increasing the frequency of objective security assessments of the enterprise. It’s often better to engage a third party to do this: they have no allegiances plus they have the knowledge base from companies in other industries. I would advise that companies spend more budget on understanding their risk position, and then taking steps forward.

OPAQ: How does this planning change if a company is going to significantly increase its cloud investments?

MS: Growing your cloud presence is common but it doesn’t happen in a vacuum. If you are doing this, at the same time you’re also decreasing the company’s presence in private data centers and managed hosting arrangements. What organizations really need to do is look at the tools and skills for managing hybrid IT. The goal is to manage workloads and control risk across all of the IT environments, and without elevating hours spent by finite IT and security resources. Of course, the cloud is not just about saving money but being more responsive to market needs. But if you are not keeping an eye on the operational aspects, it’s likely that the cost efficiencies you’re hoping to gain will be offset by the need to bring more humans into the equation.

Receiving Security From the Cloud: Why Cloud Maturity is Driving Security Transformation

For well over a decade, the cloud has garnered much hype and attention – and for good reason. For organizations bold enough to leverage it, the cloud has delivered staggering results including faster service delivery, reduced costs and greater agility.

Organizations have matured in their adoption and use of cloud services from email and HR Software-as-a-Service solutions to leveraging Infrastructure-as-a-Service providers to create new solutions and value for customers.

From the day the term cloud computing was coined, security has consistently been cited as a primary concern by organizations when considering moving business functions to the cloud – and it’s not hard to see why.

Utilizing yesterday’s bolt-on security as you implement your cloud strategy is extremely problematic. Not to mention the cloud era has coincided with a litany of other tech trends—Bring Your Own Device (BYOD), Internet of Things, and increasing levels of telework for example—that have made cybersecurity extremely challenging for businesses large and small.

These trends have erased the traditional concept of a security perimeter, causing IT professionals to patch one “leak” in the security dam as six more spring up. It’s an eternal and exhausting struggle, and one that hasn’t had an easy solution.

That is why we’ve formed OPĀQ Networks, which is an important evolution in network security and how security is delivered.

Security Is Still a Human Issue

The companies that can afford to find and retain security talent perform much better than those that can’t. However, the bottom line is that even for the most resource-rich, security-focused companies, there will never be enough security expertise.

There are quality security solutions out there that can provide protection in certain areas, but products are only useful if people have the time, budget and expertise to properly manage them.

Studies show the average large enterprise has anywhere from 3 to 5 network security products. Considerable amounts of time and expertise need to be put into the evaluation and management of a company’s security stack. Not to mention all of the selected products will have patches, updates and licenses that will need to be managed. And after all is said and done, a substantial number of security breaches occur due to poorly implemented policies and improperly implemented security products.

In 1997, I co-founded NetSec and helped pioneer the Managed Security Services Provider (MSSP) business model. We helped many companies with their security by providing outsourced monitoring and management of security devices and systems until I sold the company in 2005. The reality is that, even as the experts, NetSec and many other MSSPs struggled to keep pace with the highly diverse product base and distributed control of our clients’ network and security infrastructure.

Security-as-a Service: Tightening Control, Simplifying Networks

The answer to the human issue is to bring network security into the cloud age. Rather than deploying and managing point security products utilizing distributed and disjoint policy, network security controls should be tightly integrated into the network and managed through a single policy control point. Security from the cloud can be extended to the location, user and device on demand.

This post on the Securosis blog by Mike Rothman does a good job of illustrating compelling use cases for security-as-a-service:

  • Optimized Interconnectivity: You might have 85 stores which need to be interconnected, or possibly 2,000 employees in the field. Or maybe 10 times that. Either way, provisioning a secure network for your entire organization can be highly challenging – not least because mobile employees and smaller sites need robust access and strong security, but fixed routes can negatively impact network latency and performance.
  • Security by Constituency: One interesting extension of the policies above would be to define slightly different policies for certain groups of employees, and automatically enforce the appropriate policies for every employee. Let’s consider a concern about the CFO’s device. You can put her and all the folks with access to sensitive financial data in a special secure network policy group.

At NetSec, we provided the best security possible at the time, but there were technological and physical limitations to what we could offer. And the MSSP model hasn’t dramatically changed. Distributed security products bolted on to a network managed by a separate team results in endless false alarms and incomprehensible policy. The legacy perimeter protection approach was difficult then and near impossible within today’s hybrid cloud environments.

The growth capital OPĀQ Networks announced today will help us accelerate our research and development, operations, and customer growth in the commercial market. This is a tremendous step towards finally tackling the human issue head-on. It’s an issue that has been at the heart of security challenges for decades. And because of the maturity of cloud, now’s the time you’ll see positive disruption in how security is received.