Collaborating Security Management with IT Services
A Birds Eye View of Security Management
Security, interoperability and orchestration, cost control and shadow IT are a few of the biggest challenges facing CIOs/CXOs/CEOs in Web Services today.
“From an IT perspective, it’s challenging to keep control of these different applications and make sure that all critical company information stays fully secured”
From a security perspective, leveraging Web Services means that an organization must trust its vendor to do the right things. Before selecting a vendor for any account services, CIOs/CXOs/CEOs should clearly review a vendor’s security profile to make sure that it meets and exceeds their own security standards. Does that vendor have a security policy in place? What steps are being taken on a recurring basis to ensure that the system is secure? These are just some of the questions that CIOs/CXOs/CEOs need to ask.
Another security challenge revolves around the abundance of systems and passwords, which makes it difficult to manage and secure services and proactively detect and protect against threats to business continuity. Many people are employing different Web services, and then ending up with a mess of systems and passwords. It’s absolutely critical to employ a single sign-on service from the beginning. This enables users to maintain secure access across a range of external systems and web applications, without having to enter a new password. This also helps in proper provisioning and even more important de-provisioning of users within these systems.
In terms of interoperability, the challenge here is making sure that different accounts and services are synchronized. The emergence of niche cloud solutions and vendors has reduced the dependency of IT on services such as HR, expenses, finance and accounting, which is great. However, CIOs/CXOs/CEOs need to make sure that those different systems and solutions are synchronized in regards to certain master data like organizational structure and chart of accounts.
From a cost perspective, the challenge of moving from on-premises to a cloud environment means going from a perpetual licensing fee – and being able to anticipate YoY costs – to an entirely different pricing model that is scalable and flexible. It’s important to work with folks in finance, so you can pick the pricing model that is most applicable to your environment.
Lastly, with cloud services, it’s relatively easy for anyone in a company to purchase and access applications. From a user perspective, this is great because the cost of adopting new services is relatively low. From an IT perspective, it’s challenging to keep control of these different applications and make sure that all critical company information stays fully secured and within the reach of the company.
The Growth in Security Risks
It’s easy to launch instances and provide basic availability of infrastructure, but it’s not as easy to provide security. For example, it’s easy to launch a Windows or Linux instance, and make that available to users. But once you deploy that, you need to properly secure it. Any Windows instance needs to be patched, managed and controlled. It’s important to think about how you are going to include that instance in your network, what ports should be opened up to those instances, and what password reset mechanisms you are going to have. One solution is to integrate AWS into Active Directory, which allows you to specify which users within a company should have access to those resources and instances.
Another security risk when using AWS is from a change management perspective. With AWS, if you have an admin account, you have full access to everything – including port settings, security certificates and more. Everything is more or less wide open, which means it’s also open to security risks. It’s important to be aware of who has access to an AWS admin environment and what type of changes are being done there, in order to stay compliant and secure.
Inter connectivity between IoT and Cloud Services
It’s important to differentiate between infrastructure and applications when discussing cloud services. Infrastructure refers to an instance of Windows or Linux that’s available through AWS or Microsoft Azure, while applications refers to solutions such as HEAT Software, Salesforce, SuccessFactors and Workday, among others.
First and foremost, cloud services means that the definition of “configuration management database” (CMDB) needs to be extended. It no longer refers to physical machines, but rather a collection of everything that the end user is consuming. That has certain implications on change management. It’s important to be aware of the maintenance cycle of a vendor, and think about how you can integrate that with the rest of your applications and infrastructure. Within this context one needs to be aware that any such maintenance or upgrade may also impact the various APIs to and from such systems, so investing in proper automated testing tools is a good idea.
Scope of Growth
Mobility is very high on the list. From a consumer perspective, we have seen a huge push from consumer technology to be completely available on mobile devices. We have not yet seen that rapid adoption for enterprise applications. As companies continue to update existing IT infrastructure, and move from existing applications to newer cloud-based applications, they will need to think through how it impacts users in terms of mobility.
A huge consolidation of tools will also come in the future. We’re starting to see the emergence of enterprise resource planning (ERP) applications. Many point solutions are coming together to form an ERP solution. For example, SuccessFactors initially focused on HR management, NetSuite focused on finance and accounting, and Salesforce focused on CRM. We’re seeing more capabilities being built out in those tools and we’ll continue to see consolidation happening. Eventually, you will get a complete ERP solution in the cloud from a single vendor.
The Present Scene of Cloud Services
We are starting to see more control in cloud services. Initially, cloud applications were relatively hard coded applications that were developed for a specific use case and lacked flexibility. We’re starting to see more and more configuration come into play.
Previously, in an on-premises environment, it was all about customization. But configuration allows you to stay in an upgrade-safe environment. It doesn’t lock you out from all of the innovation that the vendors push in that environment. I think that more flexibility will continue to show up in applications, in terms of what you see on the screen and what capabilities are being exposed. Vendors will continue to provide more fine-grained configuration
An Insight for Novels
Not everything is better in the cloud. The cloud is not the one and only answer–it’s important to look at different aspects of managing the applications within a company environment and look at the different requirements of what is really needed. I see a lot of companies just blindly moving into the cloud, but then realizing that it doesn’t meet their requirements for security, or meet their expectations from an adoptability or flexibility perspective. The cloud is not always the answer; it’s one of many aspects to be looked at when making a tool decision. Depending on the situation, an organization might see a huge need for an on-premises environment.