Industry perspectives on securing the enterprise from Voice of the Service Provider

451 Research's Voice of the Service Provider service helps to both qualify and quantify buying behaviors, business drivers and strategic priorities for the expanding universe of public cloud providers, hosters, MSPs, telcos, systems integrators, SaaS companies and colos.

The infrastructures and architectures of most large enterprises are starting to resemble those of service providers – with networked datacenters, diverse communication channels, distributed user communities, elastic and scalable services, and agile delivery. This constantly evolving and expanding ecosystem often includes a rapid influx of new technologies and capabilities that are only surpassed by the growing and intensifying threat landscape rising from these advancements. Not only are these environments much more difficult and complex to secure than traditional, centralized IT, but there is also a steep learning curve to fully grasp the intricacies of a 'service provider like' model. With this mind, 451 Research recently asked several service providers what advice they have for enterprises moving in this direction.

Enterprise infrastructures have evolved beyond being solely built to offer intra-company connectivity and services to employees. They now provide services directly to customers, enabling and powering new products and services, and integrating with a long chain of partners, suppliers and distributors. However, securing such customer-facing cloud environments that operate at scale is significantly more challenging. Organizations have to take into account factors such as threat detection and regulatory compliance across multi-cloud, identity management, and disparate tools for edge device authentication. Assuming all clouds are alike is one of the main mistakes enterprises make. Security experts with service providers of all sizes have many recommendations for enterprises such as having a defense-in-depth strategy with comprehensive controls, leveraging APIs and automation to the greatest extent possible, and partnering as needed to fill skills and capability gaps.

Organizations, both private and public, across all industries are quickly moving to a hybrid/multi-cloud architecture in order to become more flexible, agile and responsive to the needs of the business and the demands of customers and partners. While the upside of this model is significant, it does create additional security complexities that organizations must address.

Because they are more focused on the immediate benefits, enterprises often jump into the cloud – whether SaaS, IaaS or PaaS – without having a clear cloud security strategy in place. Cloud service provider Virtustream notes that it is important for enterprises to recognize that security capabilities and functionalities often vary significantly from cloud to cloud. As a result, enterprises should detail the technical and security requirements cloud providers must meet before they consume cloud services. CenturyLink adds that enterprises need to understand that due to these variations, security controls must often be implemented in a customized manner for each vendor relationship; however, doing so makes it more difficult for enterprises to manage and secure them holistically.

As multi-cloud environments become the norm, IBM recommends that enterprises adopt a comprehensive but pragmatic security architecture composed of a combination of security controls ranging from firewalls and SIEMs to data loss protection and network flow analytics. However, IBM warns that implementing such a deep and integrated set of tools can be challenging from an operations standpoint due to limitations in control and access to core networks in the public cloud.

The importance of identity is often overlooked by enterprises as they move to a multi-cloud model, according to Rackspace. The company recommends organizations lean heavily on identity controls and leverage tools such as software-defined perimeter, multi-factor authentication and identity analytics in order to ensure appropriate access to resources and to detect abnormal access patterns across increasingly diverse environments. While it can be a challenge to fully implement, identify access management is a key component to ensure privacy and meet increasingly rigorous compliance requirements in a multi-cloud environment.

Defense in depth and at scale
For most enterprises, the nature of security and defense is changing. Security efforts are moving away from a rigid, perimeter-centric, network focus to favor more comprehensive and dynamic endeavors. Digital transformation initiatives, distributed workloads and data, remote users, mobile devices, and the hundreds, if not thousands, of clouds in use throughout the enterprise are requiring organizations to rethink security strategies and philosophies.

Orange Business Services advises enterprises not to overlook the basics as they evolve and advance their security strategies. OBS says it is essential that enterprises adopt tactics such as network segmentation and the 'principle of least privilege' to manage access to critical data and applications. In addition, implementing protection at multiple layers including the network, applications and endpoints is critical to keeping the organization secure. Pulsant and Swisscom point out that demonstrably good security practices provide an opportunity to be a differentiator in a crowded marketplace. While LeaseWeb agrees, it further cautions that there is also a big downside to the enterprise if it is compromised.

Unfortunately, enterprises that take a defense-in-depth approach often have dozens of security tools in place from a variety of different vendors. These disparate point products often lack integration, which makes it difficult for security teams to gain the visibility and centralized management they need for seamless, holistic protection. Because of its scale, AWS was forced to confront this problem sooner than most companies. It has done so by aggressively instrumenting and automating security operations through internal development efforts.

As the infrastructure continues to become more complex and the layers of defense continue to compound, Google says that is essential for enterprises to be able to apply and adjust security controls and policies at scale by leveraging automation and APIs. The company adds that protecting applications, data, users and devices is a continuous process with multiple steps – develop a comprehensive inventory, define the desired state according to policy, measure configurations, and upon discovering deviations, adjust back to the desired state.

Threat detection
While a defense-in-depth model is a key strategy for advanced threat protection, enterprises are recognizing that in an increasingly complex and connected threat landscape, a compromise is unavoidable. Rackspace reports it has found that even though most enterprises are using multiple clouds, they are still building their security measures with a prevention mindset focused on the perimeter. Instead, Rackspace says, organizations should embrace the multi-cloud nature of the modern enterprise and recognize that the perimeter has effectively disappeared. It recommends that security teams shift their attention and efforts to threat detection and response. KIO Networks recommends having a hacker's perspective when it comes to protecting the customer networks.

Unfortunately, effective threat detection requires a significant amount of resources and expertise. Threat detection and response is about leveraging threat intelligence, analyzing user and attacker behaviors, finding anomalies, determining the threat level of those anomalies, and responding with the appropriate mitigating actions. As enterprises build out their threat-detection capabilities, they quickly find that no single tool will do the job. Threat detection and response requires a combination of integrated tools, specialized human expertise, threat intelligence, automation and big-data analytics. Artificial intelligence and machine-learning expertise and capabilities are also proving to be valuable in threat-detection efforts. ScaleMatix is among the service providers that believes artificial intelligence will exponentially limit the time it takes for recovery efforts.

Cloud and service providers agree that threat detection is critical to protecting the enterprise; however, they also caution enterprises that building out capabilities that are able to handle an exponentially increasing and complex volume of data and threats while responding quickly to incidents 24/7 can be challenging and expensive in terms of time, dollars and risk.

Tata Communications says it understands that enterprises desire to transform their infrastructure to make it more flexible and scalable by leveraging a variety of cloud environments and new technologies that are available. However, at the same time, users and devices are becoming more diverse and distributed while threats and attacks continue to be more numerous and complex. Given the constant challenge of keeping up with advanced threats, dealing with pressures from regulatory and compliance frameworks, the struggles to staff security expertise, the ever-growing attack surface, and the need for a hybrid security approach to protect both legacy platforms and new technologies, Tata, Orange, INAP, CenturyLink and others recommend that enterprises look to partner with a security services provider to fill gaps they may have in expertise, tools or capabilities. Windstream trials partners on their ability to interoperate; otherwise, the service provider risks challenges with scaling the operation.

Enterprises may be surprised to find that, unlike most security service providers of the past, most modern providers offer customized services that are built to scale well beyond the abilities of most organizations. Partnering with a security service provider can enable enterprises to tap into a collective threat-intelligence pool that spans geographies, industries and technology platforms – something that would be difficult to replicate for most enterprises.

Most security service providers deliver a range of services that go well beyond staff augmentation and point security controls. Most provide several advanced services including threat detection and hunting, strategic planning, incident response, cloud workload protection, risk and compliance management, and security orchestration and automation. These services can be co-managed or completely outsourced and often offer a level of integration and automation that most enterprises would struggle to develop on their own.

In the end, successful providers of services need to help companies protect data, provide controls over how, where and when their data is used, and help navigate a profusion of constantly changing global laws. Those that are realistic about their threat environment and knowledgeable about what drives their organizations beyond security – from operational tactics to strategic goals – should realize benefits from doing the legwork of aligning their security investments with those realities.

Note: 451 Research's Voice of the Service Provider service helps to both qualify and quantify buying behaviors, business drivers and strategic priorities for the expanding universe of public cloud providers, hosters, MSPs, telcos, systems integrators, SaaS companies and colos.

The following service providers were surveyed for this report: AWS, CenturyLink, Google, IBM, INAP, KIO Networks, LeaseWeb, Orange, OVH, Pulsant, Rackspace, ScaleMatrix, Swisscom, Tata, Virtustream and Windstream.
As intelligence becomes pervasive, data becomes th...
The cloud transformation journey: Great expectatio...