Security and Other considerations. Part 2
By Johan Nordstrom
To be able to keep up with the development of new security threats, companies need to rethink their security strategies. The basics must be to decrease complexity and use automated solutions when possible.
There has been a change in the balance.
In the past, attacks and defenses were somewhat in balance in the sense that hackers manually hacked their way into companies and the targeted organizations security solutions relied on policies and signatures, and in combination with having researchers working effortlessly to identify malicious code and create working patches and signatures to detect, block, and mitigate attacks that was in many cases enough.
Today, it’s a different world, where threats and attacks are organized, conducted with precision, unique, hidden, sophisticated, and in many cases automated.
Nowadays, organizations must think about IT security from the beginning, and at the same time, many companies and authorities find it hard to cope with the massive and daily increase in new threats and attacks and the increasing complexity of legacy security solutions.
We have all seen that customers tend to maintain the status quo. If it has worked in the past, the presumption is that it will continue to work, at least until it either gets too complex to manage or it fails altogether, an attack is successful, and it’s too late. The only way to solve this is to make a change to automated systems now.
There are different types of solutions on the market, including on-premise solutions and cloud-based, and more companies tend to move to either a hybrid or entirely cloud-based environment. This puts new requirements into what kind of security solution you choose to implement; new regulations might also impact the choice, and again there are several different ways to approach this.
The number of companies choosing to use cloud-based security solutions is growing all the time, and security provided as a service (SaaS) is becoming more attractive because it promises organizations a way to reduce security costs while cutting security risk as well, but is that the full story? Let’s break it down a bit.
Reducing security costs: The ways that security as a service cuts costs will be familiar to anyone who has had to investigate cloud services of almost any kind. Essentially, they include:
Reducing capital expenditure: Running your own security systems involves a high level of up-front investment, including security appliances and software licenses, training, professional services, etc. These are costs that are eliminated with a SaaS solution.
Reducing administration: Operating one’s own security systems takes up a lot of staff hours. The costs related can be particularly significant if the company has many branch offices that don’t have their own IT staff. The use of cloud-based security solutions means that the majority of administration — service, updates, etc. — is carried out by the provider.
Now, if you believe that a SaaS solution could reduce your costs by moving from high capital investment and administrative expenses to a fixed monthly fee, then the next critical question is whether your security will be increased or, at the very least, remain at the same level as you could do with your on-prem solution.
The provider will have access to your data.
Using a cloud solution could also mean that you will traverse sensitive data over a third party outside of your control, and the risks with cloud-based security services are the same as with any other cloud services.
Sensitive data should be treated carefully, and organizations with applications and data requiring the highest level of confidentiality should look at what options they have to keep control of their data.
The vendor will be accessible from the internet; this is a risk that security teams have not had to consider with on-prem solutions, and you also need to consider potential DoS attacks. Without strong protection, malicious actors could make modifications to the services or prevent an organization from managing or accessing the services.
In my view, an organization should perform a thorough and detailed due-diligence audit. The organization needs to be able to trust the cloud provider fully, so this audit is crucial.
Compliance could be an issue that may be difficult to solve with cloud-based security services, so it’s essential for an organization to understand how the SaaS provider will meet specific compliance requirements.
So, what to look for in a solution?
Here are some requirements organizations should look for in a web application firewall solution:
Reduced Resource Requirements: The solution should reduce resource-intensive requirements imposed by legacy solutions, including infrastructure, maintenance, and personnel costs.
Centralized Management: The solution should offer centralized control that allows IT to be much more efficient when protecting cloud and on-premise applications.
Modern Security: The solution should provide an abundance of security parameters to make the environments more secure. These include application firewall, continuous machine learning to drive real-time security rules updates, application and perimeter scanning, and testing capabilities.
Automation: The solution should provide automated initial security rules configuration and ongoing updates.
Distributed Architecture: The solution should provide horizontal scaling across nodes on-prem and cloud, with retained control of sensitive data.