In the middle of 2018, Microsoft registered a major achievement with its cloud productivity solution, Office 365, with over half of all organisations making use of it globally.
Without a doubt it’s a solution that delivers significant productivity and efficiency benefits to the organisation, but it also represents a challenge that many Australian organisations have been struggling with: a new approach to security.
“With so many applications moving into the cloud - including Office 365 – we’re sometimes seeing that all of the focus is on ease of access rather than making sure that everything is secure,” Klasie Holtzhausen, senior director of ANZ channels at Symantec.
“There needs to be a change in approach to security, too, as it’s no longer about the device, but rather it’s about the data that is being stored in the cloud. Many customers today are struggling to conceptualise how they make sure that their information remains secure in the cloud.”
The stakes are high. Last year, it was revealed that China’s peak security agency had directed a surge in cloud-based cyber attacks on Australian companies with a goal of stealing commercial data and secrets. Furthermore, security breaches affect most Australian businesses – 60 per cent of organisations reported that their business had been interrupted due to a security breach in the last year.
According to David Browne, Australia practice manager for architecture and security at Datacom, one of the issues that organisations have faced with the cloud is the convenience of it, which led to some poorly-managed decisions being made.
“It was very easy and cost effective because you could just throw a credit card across it,” Browne said. “It wasn’t until there was a couple of breaches that things changed. In the old days, purchasing had an order: somebody needed a server because they were building a new application or providing a new capability for the organisation, so they’d put a request in, and it would go to IT, change control, then architecture and security gets involved.
“Cloud momentarily took some of that process away and it’s only now that we’re seeing the core of some of that come back. Now, though, the challenges are going to be more so around the surface computer. What security controls need to be applied or should be applied in those areas, and how do you still maintain security posture around that.”
Managing customer expectations
Part of the issue that the channel faces is the changing expectation of customers and the way that they look to use technology. Once security was a responsibility that the customer took on for themselves and deploys a strong, robust security perimeter around their technology assets, and the data held on them.
But in moving data, applications and processes to the cloud, many enterprises now expect security to be standard in the solutions that they’re deploying. In other words, when an organisation deploys Office 365, they expect that the servers that they’re accessing Office 365 on to be secured by their provider.
“In the traditional technology space, if we don’t see that security is a top of mind issue then we’re asking the wrong questions and the narrative becomes wrong,” Nick Verykios, Arrow ECS managing director, said.
“But from an information point of view the cloud is part of the overall infrastructure as far as they’re concerned. There’s the implication there that it will be secure. What the customer is interested in is the information and the secure use of the information. So now, security is an information discussion.”
There’s opportunity here for the channel, Adam Nixon, director and co-founder at Core Technology Partners, said. With this shifting focus on security, away from the perimeter and point solutions, many organisations lack the internal expertise and capabilities to qualify and quantify their risk profiles; data and information is the province of data scientists to manage, and data scientists are expected to see big jumps in salaries over the next couple of years as demand for their expertise far outpaces the availability of talent.
“Customers are now coming to us and driving the discussion,” Nixon said. “They want the analytics. They want us to review it for them. They want to know where their risk is and what services can we provide to ensure they’re compliant against current and likely future legislation.
"It all comes back to their application and their risk, and while there’s a skill shortage within the channel there’s an even more significant one in our customers. They just don’t have the skill set.”
This then raises the question about who is ultimately responsible for the security of an environment. Is it the enterprise, which is outsourcing its applications such as Office 365 to the cloud, but is the one that is ultimately creating, collecting and storing the data on the service? Or is it the providers who – implicitly or explicitly – are expected to provide a secure service?
“It’s a really complex area,” John Ferlito, head of product and technology at AC3, said. “The struggle as a service provider is in discussing the full gamut of questions that need to be asked. Where was funding to it? Is it the consultant that wrecked the application? Is it a person who deployed the application and then walked away and did something the wrong way? Is it our responsibility to continue to support older applications?”
“More often than not what we’re seeing across enterprise is there’s actual delineation now between who owns the application,” Noel Allnutt, co-founder and director at Solista, said.
“It’s not just around the infrastructure team. Five years ago, it was your infrastructure and you choose where your application is housed. It’s there your responsibility. Those lines can now be blurred if they’re not explicitly laid out.
“Our challenge and the channel, for most of the time, is in understanding quickly what your relevance is to that customer and what they need, because you can be working across similar teams who all use the application but one customer needs additional cyber awareness around it.”
One area where the channel can significantly benefit their customers in this transition to a perimeter-less environment is in providing the deep consultancy conversations, and helping those organisations broaden their understanding of how security can be approached, Ryan Mistry, COO at Zirilio, suggested.
“We spend a lot of time simply having conversations within the IT and the security rooms about having the broader conversation with the organisation,” he said. “The best potential is in getting into the CFO’s office and explaining the broader impact to the brand, and the organisation.”
But having those broader conversations can be a challenge for IT teams and their technology partners, Ronnie Altit, CEO at Insentra, said. The challenge is that IT still has a fundamental lack of understanding on how to engage with the highest level of the organisation – the board. Unfortunately for security to be effective in modern practice, it needs to be driven from the top down, so IT needs to understand how to get the board’s buy-in.
“Boards don’t even understand the concept of the cloud,” Altit said. “They haven’t even got their head around security yet, let alone cloud, and now we’re asking them to get their head around cloud and security, and the difference in security and the cloud.
"The reality is that the boards don’t care. What the boards concern themselves with are other factors in terms of what they need to deliver to their clients, their shareholders, et cetera.
“But we can sit here and get stuck into trying to have that IT discussion. For years the industry has been having the wrong discussions and it’s time to ask boards what they actually care about.”
Read more on the next page...