rethinking it and it security strategies in an era of...
TRANSCRIPT
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Neil MacDonald
VP and Gartner Fellow
Gartner Information Security, Privacy and Risk Research
Twitter @nmacdona
Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Traditional IT Models Are Strained: Increasingly We Don't Own or Control Much of IT
Inflection Points in Our Business and IT Infrastructure:
• Socialization and Collaboration
• Mobilization
• Consumerization
• Virtualization
• Cloudification
• Industrialization of Hackers
• Nationalization of Hackers
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Leading to Several Key Shifts in IT
• The Need for Speed
• Software Defined Everything
• The Post-Signature Era
• Visibility & Big Data at the Heart of Next Generation IT Architectures
•A Shift up the Stack to Information
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Transformation of IT
Virtualization 68% penetrated
Cloud $9 billion IaaS
Private Cloud 35% deployed
Hybrid Cloud 72% pursuing
Agility
Hybrid IT 74% pursuing
Drivers Identify
Consumerization
Cost
New Apps
Experimentation
Inhibitors Mitigate
Fear
Compliance
Process
Politics
Culture People
Funding
Orgs
Mobility
Security
Shared Data
Tech Competence
Risk
Technology
Massive Scale
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Need for Speed
• Windows of opportunity: In a
connected world, opportunities come
and go, fast.
• Consumerization of expectation:
The Internet has created an
expectation of immediate gratification
— even in B2B relationships.
• Fail faster to win: You can't win big
unless you experiment — eliminate
the barriers to experimentation.
• "My business doesn't need speed":
Yes they do — either you didn't meet
their needs, or they don't understand
their needs yet — help them.
Ultimately, the primary business case for
cloud computing will often be speed — for the business.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
The Need for Speed
Improve Quality of Service
12%
Reduce Costs 3%
Business Alignment
10%
Don't Know 2%
Defend IT 7%
Challenges:
• Working with users to build a business case
• Building a business case based on speed — the value of "faster"
• The value of experimentation
Gartner Data Center Conference Poll, December 2013
(N = 87)
What is your main driver in
moving to private
clouds? Agility/ Speed 66%
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Private Cloud Progress
Gartner Data Center Conference Poll, December 2013
(N = 71)
How far along are you in a private
cloud computing strategy?
No plans yet
Putting plans together, unsure when will deploy
Putting plans together, deployment by end of 2014
Pilot deployment in place
A full-service deployment is in place (production or dev./test)
Several services are in place, fairly mature
13%
30%
22%
14%
17%
4%
52%
Planning
35%
Deployed
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Private Cloud Computing Challenges
Message: Technology is one of the easiest challenges
Gartner Data Center Conference Poll, December 2013 (N = 92/92/89)
What are your three biggest challenges in creating a private
cloud computing service?
Management and operational processes
First Second Third
Culture
Technology
Service description and self-service interface
Funding/Chargeback model
Business/Customer relationship
Politics
Security
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Software Defined Everything : SDx The Data Center Becomes Programmable
Software-defined
Networking
Software-defined
Storage
Software-defined
Security
IaaS
Real-time
Infrastructure
Fabric-based
Computing
Open Compute
Project
OpenStack
Software-defined
Data Center
Integrated
Systems
Software- defined
Everything
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Detection of Advanced Targeted Attacks (Advanced Persistent Threats)
Increasingly sophisticated models of both "good" and "bad" are needed. Better models require more data.
• Baselining
• Anomaly detection
• Predictive failure analysis
Understand what "bad" looks like, and look for similarities:
• Antivirus
• Intrusion prevention systems
• Thresholds exceeded
Observed Model
= bad
= bad
Understand what "good" looks like, and look for meaningful differences:
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Complete Protection = Blocking/Prevention & Detection/Response
Block and Prevent
Detect and Respond
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Retrospective
Predictive Preventative
Detective
Adaptive
Complete Protection Requires Comprehensive Adaptive Protection
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Retrospective
Predictive Preventative
Detective
With a Core Based on Continuous Monitoring and Analytics
Continuous Monitoring
and Analytics
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Full Lifecycle Protection Efforts: Before, During and After Attacks
Adaptive
Predictive Preventive Inline, real time
(subsecond)
Retrospective Postincident
(minutes to months)
Detective Near real time
(seconds to minutes)
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Divert Attackers
Investigate/ Forensics
Remediate/ Make Change
Detect Incidents
Continuous Monitoring
and Analytics
Harden and Isolate Systems
Prevent Incidents
Baseline systems
Confirm and Prioritize
Contain Incidents
Proactive Exposure Assessment
Design/ Model change
Predict Attacks
The Adaptive Security Architecture
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Big Data is Just Big Noise. Seek Intelligence.
Continuous Monitoring
and Analytics
Dependencies, relationships Information
Knowledge
Context-Aware Intelligence
Collect, Correlate
Analyze
Context Community
Logs, Events, Costs, Usage, Attacks, Breaches
Patterns, meaningful anomalies
Data Data Data Data
Big Data
Model, Simulate, Act, Protect
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Operations and Security Problems Are Becoming Big Data Analytics Problems
• Root-cause analysis
• Improved incident response
• Predictive failure analysis
• Capacity forecasting
• Predictive modeling of change
• Service governor for highly
automated infrastructure
• Behavioral performance
monitoring of applications
• Business value mapping
• Intelligent sourcing decisions
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
You Can’t Secure What You Don’t Know About
Source: Netskope
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Cloud: Increased Monitoring to Compensate for the Loss of Direct Control
Connectedness to compensate for the loss of intimacy (control):
• Application instrumentation
• Agent-based, agentless and injected monitoring
• Virtualized probes
• Introspection
• Activity monitoring of applications, network, database, and users
• Cloud-based monitoring "Fly by Wire"
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Consumers of Cloud-based Services
Context
Policy Decisions
Cloud-based
Services
IT’s Control Point for the Cloud: Cloud Access Security Brokers
Security: • Identity federation • Access control • Discovery • Logging/Monitoring • Alerting • API enforcement • Encryption • Tokenization • DLP • Malware filtering • Risk scoring
Operational:
• Caching
• Bandwidth optimization
• Service balancing
• Mobile device profiling
• Mobile access policy
Delivered as:
• Physical appliance
• Traditional software
• Virtual appliance
• Cloud-based security as a service
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Context-aware Information Protection: SaaS Encryption Gateways and Data Tokenization
Name = cxwk bdkwg
Name = mkeo jd8bv
Name = Bob French Name = Sam King
If they don't have your key, they don't have your data.
Challenges:
• SaaS-specific adapters
• Encryption versus tokenization
• Key management, mapping
• Preserving indexing and search
• Preserving numeric search
• Preserving numeric calculations
Examples of Providers:
• CipherCloud
• Navajo Systems (acquired by salesforce.com)
• PerspecSys
• Vaultive (Office 365 first, expanding)
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
"Information Security": • Confidentiality • Integrity • Availability • Authenticity • Possession • Utility
Information Security is not Control: Confusing the Means With the End
=
We control what we can, not what we should
Lockdown
In Static Business and IT Infrastructures, Control was a Proxy for Trust
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Move up the Stack to Understand and Protect Applications and Information
Hardware
People
Applications & Services
Workspace
Processes
Information Top down — information-and process-centric; "shareability"
Bottom up — device and OS fixation; "lockdown"
Network
OS
Unstructured data is a blind spot
What applications support which processes?
Clear application owner? Information owner?
Which applications hold what information?
DLP should be a process not a product
Which information is most sensitive?
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
A Shift up the Stack to Protect Information
By 2017, 40% of Global 1000 organizations will have aligned both their information management governance
and information security governance programs.
.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
Paradigm Shifts in Information Security
Old Mindset
• Signatures
• Point solutions
• Fixed perimeters
• Ownership = trust
• Security “boxes”
• Security solution silos
• Manual policy config
• Block and prevent
• “Incident response”
• Protect devices/nws
New Realities
• Algorithms
• Platforms that correlate & share
• Adaptive perimeters
• Reputation services
• Security software, some in hw
• Security as an adaptive system
• Security automation
• Detect and Respond
• Continuous response
• Protect information
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved.
• The Nexus of Forces continues to drive change and create new
opportunities.
• Cloud is becoming a mainstream computing style and delivery option
with hybrid cloud, cloud brokerage and new delivery, management
and security options accelerating adoption.
• The Data Center is Being Transformed The Nexus of forces is
creating a “need for speed”, create demand for advanced
programmable infrastructure and services that can execute at web-
scale and support new client/cloud application models and the
personal cloud.
• Big Data and Analytics will be at the core of the next generation
data center, powering IT and security analytics use cases.
• Information Protection is Key and the needs of information
management governance and information security will converge
The Bottom Line
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Neil MacDonald
VP and Gartner Fellow
Gartner Information Security, Privacy and Risk Research
Twitter @nmacdona
Rethinking IT and IT Security Strategies in an Era of Advanced Attacks, Cloud and Consumerization