SaaS, APTs and asymmetric risk take spotlight at Security Threats 2012

I had the opportunity to speak at a new security conference last week, Security Threats 2012. I presented on the topic of balancing business benefits with risks in the cloud (more on that later), but the event touched on a wide range of pertinent IT topics, provoking stimulating discussions of some of the most pressing challenges business leaders are facing.

I have to give a tip of my hat to the organizers of the conference. Not only did the event have an outstanding agenda with a bevy of top-notch speakers, but the attendees also brought a lot of value based on their varied backgrounds and senior roles in their companies.

Here are a few of the prime topics and perspectives I took away from the event:

The March of SaaS

Several speakers described the aggressive moves their companies are making toward the adoption of SaaS solutions. In many cases, it is the business units that make these decisions, with little notification to IT, let alone the security group. The motivations for moving to SaaS are about what you'd expect: time to value, cost-effectiveness, avoiding the IT organization.

Justin Kwong, senior director if IT operations and security with 24 Hour Fitness, described his company's rapid growth and concomitant reluctance to purchase and implement on-premises solutions. With such quick expansion and rapid change in its business opportunities, 24 Hour Fitness saw SaaS as an opportunity to achieve enterprise functionality at SMB pricing.

Given that Kwong's group isn't going to be implementing on-site CRM, what have they chosen to focus on instead? Kwong outlined their move to federated identity management, leveraging Active Directory as a way of supporting SSO for the user base. Not only does this increase user satisfaction by removing the need to log in repeatedly, it also ensures that one central change can remove login privileges from all of the SaaS applications once an employee leaves the company. So one could say that Kwong's group works on central infrastructure to support the SaaS-forward strategy. But lest you conclude that such a move is the province of the SMB market, Gene Fredrickson, chief information security officer of Tyco, a Fortune 500 perennial, said that his company is also backing a user-led, SaaS-forward strategy.

So how can security become aware of various SaaS initiatives throughout a company? Chet Loveland, global information security and privacy officer at MeadWestvaco, a packaging solutions company, summed up his strategy as "have friends in other places." By cultivating relationships with employees in human resources and procurement, Loveland can learn about SaaS decisions through the company grapevine. As a result, he can involve himself in SaaS initiatives and help ensure that contracts with vendors address items that are critical to the company.

Your Perimeter Is Swiss Cheese

At a conference devoted to evolving security threats, many presenters argued that the traditional strategy of hardening the perimeter of the data center is outmoded. They explained that external threats can almost certainly penetrate your defenses and set up persistent software agents that can rifle through your files at will. These so-called advanced persistent threats (APT) are commonly sponsored by criminal enterprises and foreign states.

Larry Clinton, CEO of the Internet Security Alliance, gave a sobering talk on APTs, emphatically stating that the threats are a menace to every kind of company. Moreover, most companies aren't doing much about them. In a recent survey, only 16 percent of respondents said their companies are taking steps to mitigate APTs.

Clinton recommends that security shift from a technical/operational discussion within the company to an economic/strategic concern. Essentially, he attributed the lack of investment in security to a misguided view of what risk represents. It's not about protecting the systems, by this reasoning. Rather, it's about protecting the business itself, which should involve every group in the company, from finance to legal, human resources to IT.

Kwong of 24 Hour Fitness also addressed the perimeter issue, offering a strategy based on an old joke: When a bear breaks into a camp, one camper sits down and laces up his running shoes. "Why are you doing that?" his fellow camper asks. "You can't possibly outrun a bear." The first camper responds, "I don't have to outrun the bear, I just need to outrun you."

So it follows that companies should consider a strategy of investing in security to the point where breaking into the system becomes sufficiently difficult that the bear (sorry, hacker) will move on to a slower (that is, more vulnerable) target.

The discussions on APTs were unsettling. My sense is that the risks are real, the security threats present, and no one has a really good answer for the situation. Which brings me to the next takeaway.

The Dilemma of Asymmetric Risk

Clinton and Kamil Farshchi, Visa's senior business leader of strategy, planning and initiatives, addressed the security difficulty of balancing risk against business opportunity. Another way of putting this is that the current practice of IT security creates a situation of asymmetric risk: the financial benefits associated with a computing initiative accrue to the business unit, while the risk responsibility lives with the security group. As we've seen repeatedly in our economy over the past two decades, allowing one group to achieve benefits while placing costs with another almost guarantees that risk measures will be downplayed and overaggressive initiatives pursued. Asymmetric risk placement is quite dangerous - it creates an environment in which one group can ignore risk signals by assuming that someone else is going to address the problem.

After the conference, a blog post commenting on a speech given by the CIO of an insurance company called Markel helped remind me of the importance of associating risk with benefit. Markel insures unusual situations like remote summer camps, miles from the nearest medical facilities and largely managed by teenagers. CIO Tom Gaynor explained that the company can profitably insure these sorts of endeavors by basing its underwriting insight on long experience - qualitative experience, essentially, since the individual situations Markel deals with are so distinct that the "law of large numbers" underwriting approach typical of most insurance practices is unworkable.

The blogger concluded that the same kind of qualitative judgment is necessary for IT security professionals, though it must be balanced with objective quantitative measures as well. So logging analysis is critical, but the decision of what to look at is born out of experience and knowledge. I think this is largely correct, but my larger lesson is that any situation that involves asymmetric risk bodes poorly for long-term outcomes. Markel deals with this by tying the underwriting process closely to the pricing process, thereby ensuring that every decision has a level of balance.

Speaking of which, what about cyber-insurance, the oft-bruited solution of laying risk off on an insurer in the hope of reducing a company's risk exposure to security lapses? As it happens, another attendee at the conference, a lawyer at a large international firm, had recently given a Webinar on the topic. His summary: it isn't really available at a reasonable price. It seems insurance companies are quite aware of the drawbacks of asymmetric risk.

Cloud Computing: Still in Its Infancy

As I mentioned, my presentation at the Security Threats conference was on the topic of balancing business benefits with associated risks in the area of cloud computing. My theme was that there are three risks, but traditional security approaches are preparing for only one. This is found in the conventional thinking that follows, "Let's use security products and practices against hacking attempts and malware." There's nothing wrong with that - far from it - but it fails to address two future security challenges.

The second risk is what I refer to as the " cloud boomerang." I've mentioned this several times in this blog - it refers to the likelihood of shadow IT applications eventually being delivered back to IT when the developers tire of operating them or realize their operational expertise falls short of what's necessary to run a production app. Here is a YouTube video I put together on the topic.

This cloud boomerang is a very real prospect for IT groups and, in particular, for security groups. Appropriate security measures are often bypassed or ignored for these types of applications, sometimes due to agility requirements and sometimes out of sheer ignorance of those measures. In my talk at the conference, I recommended the preparation of a checklist of appropriate security measures to be applied during initial takeover to mitigate problems and implement a consistent set of security practices.

The third threat is that security practices are still rooted in outdated assumptions about the scale and growth of computing. As I have discussed many times, the future of computing is going to be several orders of magnitude larger than what we have historically experienced. Failing to recognize that shift, while maintaining practices designed for slow rollouts and such a small number of applications that they can be handled by manual processes, is a failure of imagination. If security groups aren't thinking about this bigger and faster future, there will be enormous disruption - and risk - in IT infrastructures.

I will acknowledge that the audience response to my presentation was muted. Perhaps I presented the material poorly and failed to engage the attendees. But I also ascribe the lack of engagement to the fact that most security practitioners still aren't really aware of what's going on in the cloud. While our company sees many instances of cloud computing applications and understands their implications, many security groups seem to be unacquainted with the pace of cloud adoption. This makes sense: in my presentation I cited a Forrester estimate that five out of six cloud deployments occur without any knowledge on the part of IT - they're truly shadow IT. I expect a rude awakening over the next 18 months as security groups specifically, and IT organizations generally, begin to grapple with the new IT realities that have sprung up like Gold Rush boomtowns - quickly built, poorly policed, prone to chaos, but also sources of great wealth. I believe that the next 18 months will be among the most interesting in the history of IT.

Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date. Follow Bernard Golden on Twitter @bernardgolden. Follow everything from CIO.com on Twitter @CIOonline

Read more about cloud computing in CIO's Cloud Computing Drilldown.

• Tweet