Transitioning to the new security frontiers
- 15 May, 2019 13:30
L-R: Rickey Gilotra (Sense of Security); Josh Watts (Harbour IT); Klasie Holtzhausen (Symantec); Noel Allnutt (Solista); Adam Nixon (Core Technology Partners); Ronnie Altit (Insentra); Sash Vasilevski (Security Centric); John Ferlito (AC3); Lyncoln de Mello (Brennan IT); Mark Hofman (Shearwater Solutions); David Browne (Datacom); Ryan Mistry (Zirilio); Nick Verykios (Arrow ECS ANZ); James Henderson (ARN); Dushern Pather (TechSpecialist) and Dane Meah (InfoTrust)
In the middle of 2018, Microsoft registered a major achievement with its cloud productivity solution, Office 365, with over half of all organisations making use of it globally, according to a Bitglass report on cloud adoption for 2018.
While Office 365 delivers significant productivity and efficiency benefits it’s new approach to security is proving a challenge to some Australian organisations.
“With so many applications moving into the cloud - including Office 365 – we’re sometimes seeing that all of the focus is on ease of access rather than making sure that everything is secure,” Klasie Holtzhausen, senior director of ANZ channels at Symantec.
“There needs to be a change in approach to security, too, as it’s no longer about the device, but rather it’s about the data that is being stored in the cloud. Many customers today are struggling to conceptualise how they make sure that their information remains secure in the cloud.”
The stakes are high. Last year, an investigation by Fairfax Media/Nine News revealed China’s peak security agency had directed a surge in cloud-based cyber attacks on Australian companies in an attempt to steal commercial data and secrets. And 60 per cent of Australian organisations reported that their business had been interrupted due to a security breach in the last year, according to a Telstra security report from 2018.
According to David Browne, Australia practice manager for architecture and security at Datacom, one of the issues that organisations have faced with the cloud is the convenience of it, which led to some poorly-managed decisions being made.
“It was very easy and cost effective because you could just throw a credit card across it,” Browne said. “It wasn’t until there was a couple of breaches that things changed. In the old days, purchasing had an order: somebody needed a server because they were building a new application or providing a new capability for the organisation, so they’d put a request in, and it would go to IT, change control, then architecture and security gets involved.
“Cloud momentarily took some of that process away and it’s only now that we’re seeing the core of some of that come back. Now, though, the challenges are going to be more so around the surface computer. What security controls need to be applied or should be applied in those areas, and how do you still maintain security posture around that.”
Managing customer expectations
Part of the issue that the channel faces is the changing expectation of customers and the way that they look to use technology. Once security was a responsibility that the customer took on for themselves and deploys a strong, robust security perimeter around their technology assets, and the data held on them.
But in moving data, applications and processes to the cloud, many enterprises now expect security to be standard in the solutions that they’re deploying. In other words, when an organisation deploys Office 365, they expect that the servers that they’re accessing Office 365 on to be secured by their provider.
“In the traditional technology space, if we don’t see that security is a top of mind issue then we’re asking the wrong questions and the narrative becomes wrong,” Nick Verykios, Arrow ECS managing director, said.
“But from an information point of view the cloud is part of the overall infrastructure as far as they’re concerned. There’s the implication there that it will be secure. What the customer is interested in is the information and the secure use of the information. So now, security is an information discussion.”
There’s opportunity here for the channel, Adam Nixon, director and co-founder at Core Technology Partners, said. With this shifting focus on security, away from the perimeter and point solutions, many organisations lack the internal expertise and capabilities to qualify and quantify their risk profiles; data and information is the province of data scientists to manage, and data scientists are expected to see big jumps in salaries over the next couple of years as demand for their expertise far outpaces the availability of talent.
“Customers are now coming to us and driving the discussion,” Nixon said. “They want the analytics. They want us to review it for them. They want to know where their risk is and what services can we provide to ensure they’re compliant against current and likely future legislation.
"It all comes back to their application and their risk, and while there’s a skill shortage within the channel there’s an even more significant one in our customers. They just don’t have the skill set.”
This then raises the question about who is ultimately responsible for the security of an environment. Is it the enterprise, which is outsourcing its applications such as Office 365 to the cloud, but is the one that is ultimately creating, collecting and storing the data on the service? Or is it the providers who – implicitly or explicitly – are expected to provide a secure service?
“It’s a really complex area,” John Ferlito, head of product and technology at AC3, said. “The struggle as a service provider is in discussing the full gamut of questions that need to be asked. Where was funding to it? Is it the consultant that wrecked the application? Is it a person who deployed the application and then walked away and did something the wrong way? Is it our responsibility to continue to support older applications?”
“More often than not what we’re seeing across enterprise is there’s actual delineation now between who owns the application,” Noel Allnutt, co-founder and director at Solista, said.
“It’s not just around the infrastructure team. Five years ago, it was your infrastructure and you choose where your application is housed. It’s there your responsibility. Those lines can now be blurred if they’re not explicitly laid out.
“Our challenge and the channel, for most of the time, is in understanding quickly what your relevance is to that customer and what they need, because you can be working across similar teams who all use the application but one customer needs additional cyber awareness around it.”
One area where the channel can significantly benefit their customers in this transition to a perimeter-less environment is in providing the deep consultancy conversations, and helping those organisations broaden their understanding of how security can be approached, Ryan Mistry, COO at Zirilio, suggested.
“We spend a lot of time simply having conversations within the IT and the security rooms about having the broader conversation with the organisation,” he said. “The best potential is in getting into the CFO’s office and explaining the broader impact to the brand, and the organisation.”
But having those broader conversations can be a challenge for IT teams and their technology partners, Ronnie Altit, CEO at Insentra, said. The challenge is that IT still has a fundamental lack of understanding on how to engage with the highest level of the organisation – the board. Unfortunately for security to be effective in modern practice, it needs to be driven from the top down, so IT needs to understand how to get the board’s buy-in.
“Boards don’t even understand the concept of the cloud,” Altit said. “They haven’t even got their head around security yet, let alone cloud, and now we’re asking them to get their head around cloud and security, and the difference in security and the cloud.
"The reality is that the boards don’t care. What the boards concern themselves with are other factors in terms of what they need to deliver to their clients, their shareholders, et cetera.
“But we can sit here and get stuck into trying to have that IT discussion. For years the industry has been having the wrong discussions and it’s time to ask boards what they actually care about.”
Read more on the next page...
Lyncoln de Mello, practice director of communications and cloud at Brennan IT, agrees that boards aren’t overly interested in the specifics of security. Even when the board is across the security and the cloud conversation, their goals rests elsewhere.
“It’s around the device, the access to data and the management of people’s credentials and the various proliferation of shadow IT,” he said. “In our last couple of years of trading, there’s been a reduced focus on concerns about moving from one permanent cloud.”
Dane Meah, CEO at InfoTrust, agreed saying that, from his perspective, talking about product, no matter how innovative, isn’t the successful approach.
“We’re at the point where if you’re walking in to meet with senior executives outside of technology, even if it’s to solve a sole specific problem, everyone’s already talked to them about the perfect product for the problem. You’re not particularly welcome.
“The better approach is actually to remove the noise and put the problem in context, talk about business risk, and then talk about more broad, holistic approaches to mitigating risk among the business.”
The Holy Grail for the channel in engaging with boards is, as Sash Vasilevski, principle consultant at Security Centric, explained, being able to show how security solutions can open up new business opportunities.
“The biggest success we’ve had in the last 18 months is when it’s driven from the board, but it’s driven not an avoidance of risk but identification of a business opportunity. It’s in being able to show how the solution will either open up markets that they couldn’t play in, or differentiating them from their competitors.”
Succeeding by adding value
Despite the challenges of adequately engaging with customers, and defining the responsibilities around security, the consensus at the table was that it’s a good time to be in the channel in security – and particularly with regards to cloud security. The secret to success is finding the differentiator that allows you to add value.
“The MSPs are absolutely the only organisations that are in the best place to be able to sell the ongoing services of security, and they just need a little bit of assistance depending on their client’s particular needs,” Arrow ECS’ Verykios said.
"Whether they’re in medical or manufacturing or something like that, tailoring the solution to the client and vertical is important. If the reseller is truly an integrator they can provide the MSP with a lot of expertise in this area."
From the MSP perspective, there was also the acknowledgement that there are opportunities to work more closely with other parts of the channel to better deliver solutions and security to customers.
“There’s an opportunity to stretch the relationships with these point security providers because there’s a lot of stuff as an MSP that I’ll be honest that we aren’t doing that we should be doing,” TechSpecialist CEO Dushern Pather said.
“That’s not to say that our environment is insecure, because it’s not, but there’s stuff that we could be doing that’s next gen. For example, securing applications and providing consulting around things that are not within our boundary.”
Across all players within the channel, according to Core Technology Partners’ Nixon, the evolving needs around security is driving new opportunities to find competitive differentiation and value-add, for those in the channel that have an understanding of the customer.
“We’ve got a range of tools that cuts down network or security assessments that would normally take four or five days down to three or four hours. That’s a value add. We’ve changed our model so that now we go to market and provide certain assessments for free to our clients that result in engineering talk, because that is something that customers are seeing between us and another company that’s focused purely on implementation.
“It’s about having that conversation about how the client has adopted a cloud strategy, and a review into the business risks that it now has. It’s our responsibility to give a risk assessment and say to our customers ‘on a score of one to 100 you sit here.’ It protects us, too because then if in three months there’s a breach or incident, we can say that the client didn’t adopt that recommendation and that was their choice.”
Finding the right products
The modern security solution, designed to handle the perimeter-less environment, needs to look at security from three angles, according to Rickey Gilotra, business development manager at Sense of Security.
“Securing all three sides involves configuring, trying to block it from unauthorised access, and then accounting for 'pretending' to be somebody with authorisation after getting access credentials they shouldn’t have – in other words, making sure you have proper IP listing and other controls.”
Achieving this requires a solution made of combination of technologies, rather than a single vendor. Therefore the distributor is a critical piece in the development of a perimeter-free security solution. According to Josh Watts, COO at Harbour IT, the channel is increasingly relying on the distributor to provide additional expertise and resourcing in helping to secure a customer’s environment.
“We are expecting the top distributors. We would understand the technology of the products they’re bringing in, and we want distributors that are selective in who they choose and have that relationship into those vendors," Watts said.
"So it’s not just a logistics exercise. The best distributors are the ones that understand the technology and the relationships with the vendors.”
Zirilio's Mistry agreed, and added that the distributors that Zirilio works with are those that are able to support a rapidly-growing business with critical support around training and expertise that it would otherwise struggle to access independently.
“There’s only 17 of us in the group, so we look to the disties to provide that level of training and expertise that we struggle to find the time to organise ourselves. We’re constantly running out of time and double hatting. That’s running through my mind when working through initial arrangements with partners.”
Being able to find the right vendors to represent and distributors to partner with remains the biggest concern for channel organisations across the chain. According to Insentra’s Altit, the dynamic security environment means that its important to keep an eye out for a broad range of solutions.
“One of the things that we sort of pride ourselves on is not selling tier one and tier two products,” Altit said. “What we have seen is the value of the new vendors or relatively new vendors that have awesome tech and have invested heavily in the U.S.
"They want to come to market here but they’re too small for traditional distribution. There’s opportunities there to have a form of exclusivity with really cool technology.”
Regardless of the technology involved, or the structure of the partnerships, one thing’s for certain; the security go-to-market strategies that will be successful are the ones that are founded on a spirit of mutual co-operation and accountability, Solista’s Allnutt said.
“There’s a lot of great technology in the marketplace, so what makes them successful locally is the support and the people that you’re in the trenches with.
“Having that kind of shared accountability is important, because the landscape is completely changing. So, for example, historically you’re going in and having a technology discussion around IT and how to secure the data and where that data lives. But that conversation is broadening. Now we’re looking at how we can lock down IoT devices – for example, how health care can lock down health devices.
"If you can’t have that broader conversation then you’re going to lose credibility at the business level, which is everything,” Allnutt said.