The next BriefingsDirect data security insights discussion explores how cloud deployment planners need to be ever-vigilant for all types of cybersecurity attack vectors. Stay with us as we examine how those moving to and adapting to cloud deployments can make their data and processes safer and easier to recover from security incidents.
To learn more about taking the
right precautions for cloud and distributed data safety we welcome
two experts in this field, Mark McIntyre, Senior
Director of Cybersecurity Solutions Group at Microsoft, and Sudhir
Mehta, Global Vice President of Product Management and Strategy at Unisys. The discussion is moderated by Dana Gardner,
Principal Analyst at Interarbor
Solutions.
Here are some excerpts:
Gardner: Mark,
what’s changed in how data is being targeted for those using cloud models like Microsoft Azure? How is that
different from two or three years ago?
McIntyre |
McIntyre: First
of all, the good news is that we see more and more organizations around the
world, including the US government, but broadly more global, pursuing cloud
adoption. I think that’s great. Organizations around the world recognize the business
value and I think increasingly the security value.
The challenge I see is one of expectations.
Who owns what, as you go to the cloud? And so we need to be crisper and clearer
with our partners and customers as to who owns what responsibility in terms of
monitoring and managing in a team environment as you transition from a
traditional on-premises environments all the way up into a software-as-a-services
(SaaS) environment.
Gardner: Sudhir,
what’s changed from your perspective at Unisys as to what the cloud adoption
era security requirements are?
Mehta: When organizations
move data and workloads to the cloud, many of them underestimate the
complexities of securing hybrid, on-premises, and cloud ecosystems. A lot of
the failures, or what we would call security breaches or intrusions, you can attribute
to inadequate security practices, policies, procedures, and misconfiguration
errors.
Mehta |
As a result, cloud security breach
reports have been on the rise. Container
technology adds flexibility and speed-to-market, but it is also introducing
a lot of vulnerability
and complexity.
A lot of customers have legacy,
on-premises security methodologies and technologies, which obviously they can
no longer use or leverage in the new, dynamic, elastic nature of today’s cloud
environments.
Gartner
estimates that through 2022 at least 95 percent of cloud security failures
will be the customers’ fault. So the net effect is cloud security exposure, the
attack surface, is on the rise. The exposure is growing.
Change in cloud worldwide
Gardner: People,
process, and technology all change as organizations move to the cloud. And so security
best practices can fall through the cracks. What are you seeing, Mark, in how a
comprehensive
cloud security approach can be brought to this transition so that cloud
retains its largely sterling
reputation for security?
McIntyre: I
completely agree with what my colleague from Unisys said. Not to crack a joke
-- this is a serious topic -- but my colleagues and I meet a lot with both US
government and commercial counterparts. And they ask us, “Microsoft, as a large
cloud provider, what keeps you awake at night? What are you afraid of?”
It’s always a delicate
conversation because we need to tactfully turn it around and say, “Well, you, the
customer, you keep us awake at night. When you come into our cloud, we inherit
your adversaries. We inherit your vulnerabilities and your configuration
challenges.”
We
need to be really clear with our customers about the technologies that
they need to make themselves more secure. We need to give them awareness
into their posture so it's built right into the fabric of the cloud
service.
As our customers plan a cloud
migration, it will invariably include a variety of resources being left on-premises,
in a traditional IT infrastructure. We need to make sure that we help them
understand the benefits already built into the cloud, whether they are seeking
infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or SaaS. We
need to be really clear with our customers -- through our partners, in many
cases – about the technologies that they need to make themselves more secure.
We need to give them awareness into their posture so that it is built right
into the fabric of the cloud service.
Gardner:
Sudhir, it sounds as if organizations who haven’t been doing things quite as
well as they should on-premises need to be even more mindful of improving on
their security posture as they move to the cloud, so that they don’t take their
vulnerabilities with them.
From Unisys’s perspective, how
should organizations get their housecleaning in order before they move to the
cloud?
Don’t bring unsafe baggage to the cloud
Mehta: We
always recommend that customers should absolutely first look at putting their
house in order. Security hygiene is extremely important, whether you look at
data protection, information protection, or your overall access exposure. That
can be from employees working at home or through to vendors or third-parties --
wherever they have access to a lot of your information and data.
First and foremost, make sure
you have the appropriate framework established. Then compliance and policy
management are extremely important when you move to the cloud and to virtual and
containerized frameworks. Today, many companies do their application
development in the cloud because it’s a lot more dynamic. We recommend that our
customers make sure they have the appropriate policy management, assessments, and
compliance checks in place for both on-premises and then for your journey to
the cloud.
The net of it is, if you are appropriately
managed when you are on-premises, chances are as you move from hybrid to more of
a cloud-native deployment and/or cloud-native services, you are more likely to
get it right. If you don’t have it all in place when you are on-premises, you
have an uphill battle in making sure you are secured in the cloud.
Gardner: Mark,
are there any related issues around identity and authentication as organizations
move from on-premises to outside of their firewall into cloud deployment? What
should organizations be thinking about specifically around identity and authentication?
Avoid an identity crisis
McIntyre: This
is a huge area of focus right now. Even within our own company, at Microsoft,
we as employees operate in essentially an identity-driven
security model. And so it’s proper that you call this out on this podcast.
The idea that you can monitor and
filter all traffic, and that you are going to make meaningful conclusions from
that in real time -- while still running your business and pursuing your
mission -- is not the best use of your time and your resources. It’s much
better to switch to a more modern, identity-based model where you can actually
incorporate newer concepts.
Within Microsoft, we have a
term called Modern
Workplace. It’s a reflection of the fact that government organizations and enterprises
around the world are having to anticipate and hopefully provide a collaborative
work environment where people can work in a way that reflects their personal
preferences around devices and working at home or on the road at a coffee shop
or restaurant -- or whatever. The concept of work has changed around enterprise
and is definitely forcing this opportunity to look at creating a more modern
identity framework.
Zero
Trust networking and micro-segmentation initiatives recognize that we
know people need to keep working and doing their jobs wherever they are.
The idea is to accept the fact that people will always cause some level
of risk to the organization.
If you look at some of the
initiatives in the US government right now, we hear the term Zero
Trust. That includes Zero Trust networking and micro-segmentation.
Initiatives like these recognize that we know people need to keep working and doing
their jobs wherever they are. The idea is to accept the fact that people will
always cause some level of risk to the organization.
We are curious, reasonably
smart, well-intentioned people, and we make mistakes, just like anybody else. Let’s
create an identity-driven model that allows the organization to get better
insight and control over authentications, requests for resources, end-to-end, and
throughout a lifecycle.
Gardner:
Sudhir, Unisys has been working with a number of public-sector organizations on
technologies that support a stronger
posture around authentication and other technologies. Tell us about what
you have found over the past few years and how that can be applied to these
challenges of moving to a cloud like Microsoft Azure.
Mehta: Dana, going back in time, one of the requests we had from the US Department of Defense (DoD) on the networking side, was a concern around access to sensitive information and data. Unisys was requested by the DoD to develop a framework and implement a solution. They were looking at more of a micro-segmentation solution, very similar to what Mark just described.
So, fast forward, since then
we have deployed and released a military-grade capability called Unisys
Stealth®, wherein we are able to manage
micro-segmentation, what we classify as key-based, encrypted micro-segmentation,
that controls access to different hosts or endpoints based on the identity of
the user. It permits only authorized users to communicate with approved
endpoints and denies unauthorized communications, and so prevents the spread of
east-to-west, lateral attacks.
Gardner: Mark,
for those in our audience who aren’t that technology savvy, what does micro-segmentation
mean? Why has it become an important foundational capability for security across
a cloud-use environment?
Need-to-know access
McIntyre: First
of all, I want to call out Unisys’s great work here and their leadership in the
last several years. It means a Zero-Trust environment can essentially gauge or
control east-to-west behavior or activity in a distributed environment.
For example, in a traditional
IT environment, devices are not really well-managed when they are centralized,
corporate-issued devices. You can’t take them out of the facility, of course. You
don’t authenticate once you are on a network because you are already in a
physical campus environment. But it’s different in a modern, collaborative
environment. Enterprises are generally ahead on this change, but it’s now coming
into government requirements, too.
And so now, you essentially
can parse out your subjects and your objects, your subjects trying to access
objects. You can spit them out and say, “We are going to create all user
accounts with a certain set of parameters.” It amounts to a privileged, need-to-know
model. You can enforce strong controls with a set of certain release-privilege
rights. And, of course, in an ideal world, you could go a step further and
start implementing biometrics [to authenticate] to get off of password
dependencies.
But number one, you want to
verify the identity. Is this a person? Is this the subject who we think they
are? Are they that subject based on a corroborating variety of different
attributes, behaviors, and activities? Things like that. And then you can also
apply the same controls to a device and say, “Okay, this user is using a
certain device. Is this device healthy? Is it built to today’s image? Is it
patched, clean, and approved to be used in this environment? And if so, to what
level?”
And then you can even go a
step further and say, “In this model, now that we can verify the access, should
this person be able to use our resources through the public Internet and access
certain corporate resources? Should we allow an unmanaged device to have a
level of access to confidential documents within the company? Maybe that should
only be on a managed device.”
So you can create these flexible
authentication scenarios based on what you know about the subjects at hand,
about the objects, and about the files that they want to access. It’s a much
more flexible, modern way to interact.
Within Azure cloud, Microsoft Azure
Active Directory services offer those capabilities – they are just built
into the service. So micro-segmentation might sound like a lot of work for your
security or identity team, but it’s a great example of a cloud service that
runs in the background to help you set up the right rules and then let the
service work for you.
Gardner: Sudhir,
just to be clear, the Unisys
Stealth(cloud) Extended Data Center for Microsoft Azure is a service that
you get from the cloud? Or is that something that you would implement on-premises?
Are there different models for how you would implement and deploy this?
A stealthy, healthy cloud journey
Mehta: We
have been working with Microsoft over the years on Stealth, and we have a
fantastic relationship with Microsoft. If you are a customer going through a
cloud journey, we deploy what we call a hybrid Stealth deployment. In other
words, we help customers do what we call isolation with the help of communities
of interests that we create that are basically groupings of hosts, users, and
resources based on like interests.
Then, when there is a request to communicate, you create the appropriate Stealth-encrypted tunnels. If you have a scenario where you are doing the appropriate communication between an on-premises host and a cloud-based host, you do that through a secure, encrypted tunnel.
We have also implemented what
we call cloaking. With cloaking, if someone is not authorized to
communicate with a certain host or a certain member of a community of interest,
you basically do not give a response back. So cloaking is also part of the Stealth
implementation.
And in working closely with
Microsoft, we have further established an automated capability through a discovery
API. So when Microsoft releases new Azure services, we are able to update the
overall Stealth protocol and framework with the updated Azure services. For customers
who have Azure workloads protected by Stealth,
there is no disruption from a productivity standpoint. They can always securely
leverage whatever applications they are running on Azure cloud.
For
customers leveraging Azure cloud with different workloads, we maintain
the appropriate level of secure communications just as they would have
in an on-premises deployment.
The net of it is being able to
establish the appropriate secure journey for customers, from on-premises to the
cloud, the hybrid journey. For customers leveraging Azure cloud with different
workloads, we maintain the appropriate level of secure communications just as
they would have in an on-premises deployment.
Gardner: Mark,
when does this become readily available? What’s the timeline on how these
technologies come together to make a whole greater than the sum of the parts
when it comes to hybrid security and authentication?
McIntyre: Microsoft
is already offering Zero Trust, identity-based security capabilities through
our services. We haven’t traditionally named them as such, although we
definitely are working along that path right now.
Microsoft Chief Digital
Officer and Executive Vice President Kurt DelBene is on the US Defense
Innovation Board and is playing a leadership role in establishing essentially a
DoD or US government priority on Zero Trust. In the next several months, we
will be putting more clarity around how our partners and customers can better
map capabilities that they already own against emerging priorities and
requirements like these. So definitely look for that.
In fact, Ignite DC
is February 6 and 7, in downtown Washington, DC, and Zero Trust is certainly on
the agenda there, so there will be updates at that conference.
But generally speaking, any
customer can take the underlying services that we are offering and implement
this now. What’s even better, we have companies that are already out there
doing this. And we rely greatly on our partners like Unisys to go out and
really have those deep architecture conversations with their stakeholders.
Gardner:
Sudhir, when people use the combined solution of Microsoft Azure and Stealth
for cloud, how can they react to attacks that may get through to prevent damage
from spreading?
Contain contagion quickly
Mehta: Good
question! Internally within Unisys’s own IT organization, we have already moved
on this cloud journey. Stealth is already securing our Azure cloud deployments
and we are 95 percent deployed on Azure in terms of internal Unisys
applications. So we like to eat our own dog food.
If there is a situation where
there is an incident of compromise, we have a capability called dynamic isolation,
where if you are looking at a managed security operations center (SOC) situation,
we have empowered the SOC to contain a risk very quickly.
We are able to isolate a user
and their device within 10 seconds. If you have a situation where someone turns
nefarious, intentionally or coincidentally, we are able to isolate the user and
then implement different thresholds of isolation. If a high threshold level is breached
across 8 out of 10, that means we completely isolate that user.
Dynamic isolation isolates a
user and their device with different levels of thresholds while we have like a
managed SOC go through their cycles of trying to identify what really happened
as part of what we would call an advanced response. Unisys is the only solution
where we can actually isolate a user or the device within the span of seconds.
We can do it now within 10 seconds.
McIntyre: Getting
back to your question about Microsoft’s plans, I’m very happy to share how
we’ve managed Zero Trust. Essentially it relies on Intune
for device management and Azure Active
Directory for identity. It’s the way that we right now internally manage
our own employees.
My access to corporate
resources can come via my personal device and work-issued device. I’m very
happy with what Unisys already has available and what we have out there. It’s a
really strong reference architecture that’s already generally available.
Gardner: Our
discussion began with security for the US DoD, among the largest enterprises
you could conceive of. But I’m wondering if this is something that goes down
market as well, to small- to medium-sized businesses (SMBs) that are using
Azure and/or are moving from an on-premises model.
Do Zero Trust and your
services apply to the mom and pop shops, SMBs, and the largest enterprises?
All sizes of businesses
McIntyre: Yes,
this is something that would be ideally available for an SMB because they likely
do not have large logistical or infrastructure dependencies. They are probably
more flexible in how they can implement solutions. It’s a great way to go into
the cloud and a great way for them to save money upfront over traditional IT infrastructure.
So SMBs should have a really good chance to literally, natively take an idea
like this and implement it.
Gardner:
Sudhir, anything to offer on that in terms of the technology and how it’s
applicable both up and down market?
Mehta: Mark
is spot on. Unisys Stealth resonates really well for SMBs and the enterprise.
SMBs benefit, as Mark mentioned, in their capability to move quickly. And with
Stealth, we have an innovative capability that can discover and visualize your
users. Thereafter, you can very quickly and automatically virtualize any
network into the communities of interest I mentioned earlier. SMBs can get
going within a day or two.
Enterprises
can define their journey depending on what you're actually trying
trying to migrate or run in the cloud. The opportunities are there for
both SMBs and enterprises.
If you’re a large enterprise,
you can define your journey -- whether it’s from on-premises to cloud -- depending
on what you’re actually trying to migrate or run in the cloud. So I would say
absolutely both. And it would also depend on what you’re really looking at
managing and deploying, but the opportunities are there for both SMBs and
enterprises.
Gardner: As
companies large and small are evaluating this and trying to discern their
interest, let’s look at some of the benefits. As you pointed out, Sudhir,
you’re eating your own dog food at Unisys. And Mark has described how this is also
being used internally at Microsoft as well.
Do you have ways that you can
look at before and after, measure quantitatively, qualitative, maybe
anecdotally, why this has been beneficial? It’s always hard in security to
prove something that didn’t happen and why it didn’t happen. But what do you
get when you do Stealth well?
Proof is in the protection
Mehta: There are a couple of things, Dana.
So one is there is certainly a reduction in cost. When we deploy for 20,000 Unisys employees, our Chief
Information Security Officer (CISO) obviously has to be a big supporter of
Stealth. His read is from a cost perspective that we have seen significant
reductions in costs.
Prior to having Stealth implemented, we had a certain
approach as relates to network segmentation. From a network equipment
perspective, we’ve seen a reduction of over 70 percent. If you look at server
infrastructure, there has been a reduction of more than 50 percent. The
maintenance and labor costs have had a reduction north of 60 percent. Ongoing
support labor cost has also seen a significant reduction as well. So that’s one
lens you could look at.
The other lens that has been interesting is the virtual private
network (VPN) exposure. As many of us know, VPNs are perhaps the best
breach route for hackers today. When we’ve implemented Stealth internally
within Unisys, for a lot of our applications we have done away with the
requirement for logging into a VPN application. That has made for easier access
to a lot of applications – mainly for folks logging in from home or from a Starbucks. Now when they communicate, it
is through an encrypted tunnel and it’s very secure. The VPN exposure
completely goes away.
Those are the best two lenses
I could give to the value proposition. Obviously there is cost reduction. And
the other is the VPN exposure goes away, at least for Unisys that’s what we’ve found
with implementing internally.
Gardner: For
those using VPNs, should they move to something like Stealth? Does the way in
which VPNs add value change when you bring something like Stealth in? How much do
you reevaluate your use of VPNs in general?
Mehta: I would
be remiss to say you can completely do away with VPNs. If you go back in time
and see why VPNs were created, the overall framework was created for secure
access for certain applications. Since then, for whatever reasons, VPNs became
the only way people communicate from working at home, for example. So the way
we look at this is, for applications that are not extremely limited to a few
people, you should look at options wherein you don’t necessarily need a VPN. You
could therefore look at a solution like Unisys Stealth.
And then if there are certain
applications that are extremely sensitive, limited to only a few folks for
whatever reason, that’s where potentially you could consider using an
application like a VPN.
Gardner: Let’s
look to the future. When you put these Zero Trust services into practice, into
a hybrid cloud, then ultimately a fully cloud-native environment, what’s the
next shoe to fall? Are there some things you gain when you enter into this
level of micro-segmentation, by exploiting these newer technologies?
Can this value be extended to
the edge, for example? Does it have a role in Internet of things (IoT)? A role
in data transfers from organization to organization? What does this put us in a
position to do in the future that we couldn’t have done previously?
Machining the future securely
McIntyre: You
hit on two really important points. Obviously devices, IoT devices, for
example, and data. So data increasingly -- you see T-shirts out and you see
slogans, “Data is the new oil,” and such. From a security point of view there
is no question this is becoming the case, when there’s something like 44 to 45
zettabytes of data projected to be out there for the next few years.
You can employ traditional
security monitoring practices, for example label-free detection, things like
that. But it’s just not going to allow you to work quickly, especially in an
environment where we’re already challenged with having enough security
workforce. There are not enough people out there, it’s a global talent
shortage.
It’s a fantastic opportunity
forced on us to rely more on modern authentication frameworks and on machine
learning (ML) and artificial intelligence (AI) technologies to take on a lot of
that lower-level analysis, the log analysis work, out of human hands and have machines
free people up for the higher-level work.
We're
trying to make sure that as we deliver new services to the marketplace
that those are built in a way that you can configure and monitor them
like any other device in the company.
We can make sure that it is being monitored in the same way as your
traditional infrastructure.
For example, we have a really
interesting situation within Microsoft. It goes around the industry as well. We
have many organizations go into the cloud, but of course, as we mentioned
earlier, it’s still unclear on the roles and responsibilities. We’re also
seeing big gaps in use of cloud resources versus security tools built into
those resources.
And so we’re really trying to
make sure that as we deliver new services to marketplace, for example, IoT,
that those are built in a way that you can configure and monitor them like any
other device in the company. With Azure, for example, we have IoT Hub. We can
literally, as you build an IoT device, make sure that it is being monitored in
the same way as your traditional infrastructure monitors.
There should not be a gap
there. You can still apply the same types of logical access controls around
them. There shouldn’t be any tradeoffs on security for how you do security -- whether
it’s IT or IoT.
Gardner:
Sudhir, same question, what is use of Stealth in conjunction with cloud
activities get you in the future?
Mehta: Tagging
on to what Mark said, AI and ML are becoming interesting. We obviously had a
very big digital workplace solutions organization. We are a market leader for
services, for helpdesk services. We are looking at the introduction of a lot of
what you would call as AIOps in automation as it leads to robotic process
automation (RPA) and voice assistance.
So one of the things we are
observing is, as you go on this AI-ML, there is a larger exposure because you
are focusing more around the operationalization in automation or AI-ML and
certain areas where you may not be able to manage, for instance, the way you
get the training done for your bots.
So that’s where Stealth is a
capability we are implementing right now with digital workplace solutions as
part of a journey for AIOps
automation as an example. The other area we are working very closely with some
of other partners, as well as Microsoft, is around application security and
hardening in the cloud.
How do you make sure that when
you deploy certain applications in the cloud you ensure that it is secure and
it is not being breached, or are there intrusions when you try to make changes
to your applications?
Those are two areas we are
currently working on, the AIOps and MLOps automation and then the
application security and hardening in the cloud, working with Microsoft as
well.
Gardner: If I
want to be as secure as I can, and I know that I’m going to be doing more in
the cloud, what should I be doing now in order to make myself in the best
position to take advantage of things like micro-segmentation and the
technologies behind Stealth and how they apply to a cloud like Azure? How
should I get myself ready to take advantage of these things?
Plan ahead to secure success
McIntyre: First
thing is to remember how you plan and roll out your security estate. It should
be no different than what you’re doing with your larger IT planning anyway, so it’s
all digital transformation. First thing to do is close that gap between
security teams. All the teams – business and IT -- should be working together.
We’ll continue to invest in the
technologies that help customers securely deploy technologies or cloud
resources from the get-go so that we close those gaps and configuration and
close the gaps in reporting and telemetry as well. And we can’t do it without
great partners that provide those customized solutions for each sector.
Gardner:
Sudhir, last word to you. What’s your advice for people to prepare themselves
to be ready to take advantage of things like Stealth?
Mehta: Look at a couple of things. One is focus on trusted identity in terms of who you work with, who you give access to. Even within your organization you obviously need to make sure you establish that trusted identity. And how you do it is you make sure it is simple. Second, look at an overlay network agnostic framework, which is where Stealth can help you. Make sure it is unique. One individual has one identity. Third is make sure it is refutable. So it’s undeniable in terms of how you implement it, and then the fourth is, make sure it’s got the highest level of efficacy, whether it’s related to how you deploy and it’s also the way you architect your solution.
So, the net of it is, a) trust
no one, b) assume a breach can occur, and then c) respond really fast to limit
damage. If you do these three things, you can get to Zero Trust for your
organization.
Listen
to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsors: Unisys
and Microsoft.
You may also be
interested in:
- How Unisys and Microsoft team up to ease complex cloud adoption for governments and enterprises
- How Unisys and Dell EMC head off backup storage cyber security vulnerabilities
- Data-driven and intelligent healthcare processes improve patient outcomes while making the IT increasingly invisible
- Data-driven and intelligent healthcare processes improve patient outcomes while making the IT increasingly invisible
- How The Open Group Healthcare Forum and Health Enterprise Reference Architecture cures process and IT ills
- The next line of defense—How new security leverages virtualization to counter sophisticated threats
- Expert Panel Explores the New Reality for Cloud Security and Trusted Mobile Apps Delivery
- How IT innovators turn digital disruption into a business productivity force multiplier
- How the Citrix Technology Professionals Program produces user experience benefits from greater ecosystem collaboration