The Importance of IT Security - A Case Study

(1)

I D C V E N D O R S P O T L I G H T

Considering a Cloud Based Security Solution?

August 2014

Dustin Kehoe; Research Director, IDC

Doc AU63204Y

Securing the web from new and old foes

The Demands for IT performance continue to increase despite the fact that organisations of all sizes are struggling with resource constraint in a challenging economy. Compounding to that is reality of how enterprise web access is rapidly evolving. Employees today are no longer bound to their personal PCs or Laptops and accessing the internet at their workplace which connects securely via a centralised Web Security Gateway. With the ubiquity of mobile devices and the explosion ensued by the bring-your-own-device (BYOD) phenomenon, more employees are now accessing the web through mobile networks or internet connections that lay outside of the enterprise perimeters.

At the IDC roundtable, IDC explored some key themes surrounding IT security with the group of senior IT security professionals. High amongst these issues highlighted at the roundtable were three broad issues around:

 Misalignment of security investments across the organisation.

 How companies measured their own IT security investments against their competition  How to educate management and board on the need to invest

(2)

Below are some of the themes explored in the roundtable:

Over-reliance on Traditional Security Solutions

As more applications are being introduced across organisations; the security of data takes paramount importance in considering application delivery strategy. What was clear from the roundtable was that the level of threats is increasing in volume and sophistication and the end is nowhere in sight. A participant from a professional services organisation stated that while their investment in IT security is increasing, the level of sophistication of threats remain several steps in-front of the defence. "It's an arms race", said another attendee who said that they have been investing in security solutions but have not seen a slowdown in threat activities and attacks on their infrastructure.

2013 saw many high-profile attacks, and one such attack was one that struck Spamhaus, a European spam-fighting organisations. The attacks were so severe to the point that it affected other websites across the globe. Attacks of such nature are also predicted to increase, with governments and financial institutions being the key targets. IDC has also observed that the nature of attacks have also evolved from being more network-centric to targeting the application layer.

As lamented by a couple of attendees, there is a misalignment in the investment in security solutions. The threats of yesteryears are significantly different from the ones we see today. While security solutions such as Anti-virus software, Intrusion Prevention Systems (IPS), Firewalls and spam filters were sufficient in days gone by, attackers today are looking for ways to circumvent traditional security controls such as endpoint security, IPS and spam filters and have turned their attention to as a more effective vector for infiltration.

A look at a survey conducted by IDC, further demonstrates the points raised at the roundtable. While Endpoint and Network security appears more pressing than that of Web security in figure 1. This highlights the predisposition of CIOs towards security solutions which were timed and trusted - though do not reflect the realities of today's IT threat environment. Coupled with this is the diversity of security solutions existing in the market has resulted in CIOs struggling to decide on the best possible deployment model.

F i g u r e 1

Q: What are the top issues you will be addressing in the next 12 months in Australia?

Source: IDC APeJ Continuum Study, 2013 (n=100)

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

Identity and Access Management Network Security Messaging Security

Web Security Security and Vulnerability Management

Data Loss Prevention

(3)

However, the conundrum expressed by the attendees centred on securing additional funding from the management and board. While explaining the push-back when reaching out for extra funding, IT buyers found it hard as management wanted to benchmark their IT spend against their contemporaries. An attendee from a media and broadcasting organisations succinctly illustrated this point, by relaying a joke about two men walking in the plains of Africa when one of them started to put on his running shoes upon seeing a lion. When asked on his seemingly futile attempt at outrunning the lion, the man with the running shoes said that while he couldn't outrun the lion, all he had to do was to outrun the other person. Management and boards only seem to want to have the knowledge if they are at the front of the pack; or at the back of it when it comes to security investments.

Exploring further into the theme around benchmarking, a number of attendees articulated that while the board understands that there is definitely a need for security - they certainly do not understand how to quantify. They also said they did not have a high level of compliance and risk management, and they had to balance between security and also innovating for their lines of business.

What the IT Executives agreed was that the issue at hand was not that management did not understand that security was important, but that management can't quantify and do not understand the risks they face. They are currently willing to accept high levels of risks without worrying about implications on the attacks on their IT infrastructure as there are currently no strong consequences in the event they suffer from an attack as ultimately, the issue gets pinned down as an IT related issue.

Attendees at the roundtable summed up that in order to help their management understand the need for further investments in IT security, IT needs to be able to simplify the language and turn it into a compliance scorecard which is used to benchmark between the lines of business and ultimately push the responsibility outside of IT to management.

Content and Application-Centric World

The conversation touched on the topic of securing the weakest link in the organisation - the human. CIOs today are facing challenges as they are charged with the delivery of applications to employees on a variety of devices, which includes smartphones and tablets. With the growing trends seen in the consumerisation of IT and the proliferation of mobile devices, the slowdown and poor-performance in data-sensitive and productivity solutions will continue to be a key concern, particularly due to the trend of Australian organisations moving towards the cloud. In a study conducted by IDC in 2013, 27% of the 100 Australian CIOs interviewed stated that migrating to the cloud was their number one priority in the year 2014. Organisations understand that it is imperative that performance and availability of cloud applications can, and will, impact the user experience, and in turn, revenues.

However, a representative from a broadcaster noted that it is not the people who are maliciously intent at causing harm to the organisation, rather, it is a systemic approach where the culture is swung too far towards a production culture and there is a rush towards meeting deadlines.

Catering Towards a Generational Change

Building on the theme around securing the human, an attendee from the tertiary verticals brought up a point on the struggles he faces securing the infrastructure of his institution and how they had to evolve towards recognising the needs of the Gen Y and Gen Z's. While having to remain fairly "open" as an institution of higher learning - they have a sense of being "paranoid when thinking about ways to secure their infrastructure".

Gen Y and Gen Z's would have typically grown up in a connected world and thus are predisposed to be hyper-connected. These groups are also generally more comfortable with operating in more complex structures, environments and technologies and demand instant gratification from just about everything. As these groups slowly permeate into the workforce, emerging and new cultures will be introduced, which organisations will need to address:

The change in the makeup of the workforce towards a more globalised and mobile one will require organisations to re-examine their IT Strategy. Mobile applications and strong access management solutions will need to be put in place to meet the demands of a more decentralised workforce.

Organisations will need to create an environment where employees can securely access confidential information via their choice of personal device securely. With that in mind, organisations will be required to put in place new

(4)

Defence in Depth

Virtually all of the attendees at the roundtable have a high degree of reliance on the internet for business, and protecting their digital assets. An attendee changed gears and paused to ask if there was a framework that was a best practice approach. Both Akamai Technologies and IDC believe that relying on a single line of defense in today's threat environment is a risky, if not, flawed approach. A single line of defense as its name suggests utilises a single solution as a defence mechanism. However, once the system is breached, the entire infrastructure is vulnerable to attacks. A defence-in-depth, or layered security approach is a method in which organisations use a multi-layered technology and policy approach in mitigating and preventing an attack. While it is impossible to protect every single asset, it is vital for organisations to perform a risk analysis and identify which are the assets that are invaluable to the organisation, and hence, requiring a stronger security posture surrounding it.

While the makeup of a layered security may differ in terms of technology and policies, organisations need to examine their enterprise architecture and understand the resources that are most valuable to them and place the appropriate lines of defence to protect it. By leveraging cloud defence, organisations can extend their infrastructure by building a demilitarised zone on the internet and filter out the attacks way before the malicious content hits the customer's perimeter. Network firewalls and intrusion prevention systems (IPS) can then sit at the network edge and provide an additional layer of security and inspect traffic that traverses through.

Considering the Role of Akamai Technologies

Akamai Technologies is a Cambridge, Massachusetts based cloud service provider and has one of the world's largest distributed-computing platforms and provides enterprises with secure and fault tolerant user experience through any device. While Akamai Technologies has traditionally been known as a Content Delivery Network (CDN) vendor, IT buyers are increasingly asking for a more integrated fabric between both the network and security layers, and developed CDN security services over the past two years.

Specific to Akamai Technologies security solutions is the Akamai Technologies Cloud Security Solutions suite. This solution offering is designed to help organisations address security and protection issues, while in the meantime, providing seamless user experience. Below are the components that form the solution suite :

 Kona Site Defender - Leveraging Akamai's Intelligent Platform, the Kona site Defender is designed to thwart DDoS attacks by absorbing application layer attacks and deflecting DDoS traffic attacks targeting the network layer leveraging a globally-distributed network scale.

 Kona Web Application Firewall - A web application firewall (WAF) forms part of a scalable defence sitting at the edge that detects a potential application layer DDoS attacks, such as SQL injections, accurately. By filtering the traffic closer to the source, a WAF is able to preserve the level of network performance while simultaneously protecting the organisations' infrastructure.

 Site Shield - A unique solution amongst Akamai Technologies' range of web-based solution, SiteShield protects the origin by effectively removing from the internet accessible IP space and controlling access to the origin by channelling IP traffic and access through the SiteShield's server.

 Fast DNS - Mitigates the risk of cache-poisoning like attacks by leveraging Akamai Technologies' globally-distributed network platform by using Akamai Technologies' -administered name servers. In doing so, it does not expose a customer's primary DNS server to potential attacks.

 Prolexic Routed – By routing network traffic through Prolexic Routed, organizations can protect entire IP subnets, including all web- and IP-based applications within those subnets, any supporting network and data center infrastructure and the network bandwidth into their data center

(5)

IDC observes some key differentiators which stands Akamai Technologies apart from their competition, the following are a couple of points to consider:

Channel, Acquisitions and Partnerships: Akamai Technologies sees partnerships as a key strategy in bringing their solutions to a large universe of customers and have started to partner with large system integrators. Akamai Technologies has also further strengthened their play in the DDoS with the acquisition of Prolexic, a provider of cloud-based security solutions. While the acquisition expands Akamai Technologies arsenal by providing them a "scrubbing centres" and a Security Operations Centre (SOC); more importantly, it gives them a leg into the data centre and IP applications protection game. With this acquisition, Akamai Technologies provides its customers with better defence in depth. Traditionally, Akamai Technologies mitigates malicious attacks at the edge - with the Prolexic acquisition, malicious traffic is diverted to a "scrubbing centre", where they combination of both delivers clean traffic to the customer.

Leveraging Cloud-Based Security: One of the key differentiators of using a Cloud-based security solution lies in leveraging an externally-hosted approach. This means that Akamai Technologies can help organisations fend off impending Web-based attacks by channelling the traffic through Akamai Technologies globally-distributed layer of defence which sits at the edge. This would mean that the malicious traffic and content will not traverse through the customer's network, maintaining constant bandwidth availability across the network.

Challenges

While Akamai Technologies is best known for their innovating and industry leading cloud services - particularly around the optimisation and delivery of online content and applications, their footprint in the Cloud Security market in Australia has been seen as the relative newcomer in the security space due to the fact that they have been long regarded as a strong player in the web acceleration market.

This actually works in favour of Akamai Technologies due to the fact that it is a less expensive option from a TCO perspective compared to its more entrenched competition.

Conclusion and Key Take Aways

As the threat landscape is becoming more complex and where fewer and fewer attacks are straightforward in nature, a silver bullet to this problem unfortunately has yet to be developed. The safest and most logical course of action is to assume that a breach will happen and also to determine how to best limit the damage, typically by a defence in depth strategy.

Organisations need to prepare for the myriad of security risks brought forth by the increase adoption of technology trends such as BYOD and the cloud. The introduction of these technologies will require CIOs to consider the deeper implications of managing and securing the user technologically, while at the same time striking the balance between the need for data security, compliance and the user experience to help maximise employee productivity. When investing in a security solution, organisations must apply a strategic lens and consider solutions providers that can provide a solution that can address their needs for over the long term.

The threat landscape organisations face today is rapidly evolving. The attacks are becoming more targeted and attackers are increasingly becoming more sophisticated in the techniques employed and signature-based solutions are no longer solely effective against these sophisticated attacks. And as Web-based applications and the heavy reliance on the internet is increasing, organisations need to look at solutions that employ heuristics and reputation, along with the ability to leverage behavioural patterns to have better visibility of the network traffic and to prevent the onset of attacks taking place on the web. Organisations need to have the ability to have more granular control over applications. To the extent that it addresses the challenges mentioned in this paper, IDC believes that Akamai Technologies can succeed in the Cloud Security market due to the aforementioned trends. Akamai Technologies employs a cloud-based approach in ensuring network and Website performance while mitigating the damage caused by Web-based attacks. IDC believes that Akamai Technologies can address the challenges faced by IT Executives described in this paper, and

(6)

A B O U T T H I S P U B L I C A T I O N

This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S

Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests contact the GMS information line at 508-988-7610 or [email protected]. Translation and/or localization of this document requires an additional license from IDC.

For more information on IDC visit www.idc.com. For more information on IDC GMS visit www.idc.com/gms.