IaaS and PaaS: Mature Enough for Financial Services Firms?
RFG Perspective: Since 2008 financial services firms have been under constant pressure to grow revenues and contain costs, which is driving IT executives to invest in cloud computing. Business executives do not value infrastructure per se; consequently, there is a push towards cloud computing to drive down costs as well as to enhance agility. Moreover, IT executives want to be able to implement Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud solutions that are vendor independent and first-of-a-kind implementations that provide portability. These solutions must also satisfy regulators, which, when it comes to compliance and security, is no simple task. However, since cloud computing standards are still nascent, with many conflicting APIs and standards in the works, IT executives must deal with an opportunity/cost challenge: wait for the technology to mature or implement cloud solutions now and risk the need for change.
Business Imperatives:
- IaaS APIs, solutions and standards are still immature and in a state of flux. Even OpenStack, which claims to offer a robust infrastructure solution, is still initiating new projects (e.g., Murano and Solum) to address additional infrastructure requirements. Unfortunately, each IaaS software methodology is different, causing user software to become solution dependent and hinders elasticity and freedom of movement. Amazon AWS currently provides the best offering but gaps remain. IT executives must develop common standards, taxonomy, and use cases that can be used to push vendors into delivering solutions that meet industry requirements.
- Which PaaS offering – and whether or not to use it – is heavily dependent upon application characteristics, workload portability, compliance, disaster recovery, and security requirements. The migration to PaaS means IT executives need to address DevOps and lifecycle management, which are not just technology challenges but also culture, people and process paradigm shifts. IT executives must re-evaluate their development lifecycle based on the new PaaS technologies, including defining their baseline requirements and policies for automation, continuous build, and version control.
- Compliance and security are not the same thing but are frequently intermixed when discussed. Much has been done to address security but compliance gaps exist that must be addressed and the methodologies standardized so that buy-in across the industry can be obtained from the regulators. IT executives must work on a common set of standards that regulators will sign off on and vendors can agree to support.
RFG has held a number of cloud forums for IT executives and senior architects of the major financial institutions over the past few months in New York City and London. This research note summarizes the discussions, findings, and desired actions required for cloud computing to become an operating standard and penetrate the financial firms in a cohesive, coordinated way.
CTO Panels
CEOs, CTOs and other IaaS top vendor executives from Canonical, CloudScaling, IBM/SoftLayer, SolidFire, SunGard Availability Services, and SwiftStack provided their views on the status and trends for IaaS. They all agreed there is a lot of work to be done before there are common APIs and standards that users could use that would allow portability and facilitate agility and scalability. One vendor executive postulated that in five years it may be possible for hybrid clouds to reach the point where cloud environments can be seamless with common APIs and security policies. One challenge for user executives is that some applications are infrastructure-aware while others are not. For true independence and flexibility, this awareness must be eliminated or be resolvable through dependency or policy mappings.
Development teams, especially DevOps staff, should not need to know infrastructure, just be able to address orchestration and policies. In response to the question on compliance and security, it was agreed that the responsibility for policy enforcement, security and governance belongs in each component of the stack. A need for software-defined compliance was also addressed, with the consensus that it needs to be built in at the start, not after the fact. IT executives were advised to contemplate two kinds of clouds: a virtualization cloud for legacy applications with the aim of improving cost efficiencies; and an innovation cloud designed to help developers get new applications to market faster. Cloud architects must be able to stitch these clouds together.
A second panel consisting of CEOs, CTOs and other PaaS vendor executives from ActiveState, Citrix, GigaSpaces, Mirantis, and MuleSoft offered their opinions on PaaS status and trends. All agreed that PaaS and IaaS layers are not blurring but the application and platform layers are and it will get even more blurred as vendors add more layers and build more higher order services. Nonetheless, all PaaS frameworks should run on any IaaS layer. The issue of DevOps arose again with executives pointing out that DevOps is not just a technology issue; it must also address policies (like security), processes, and cultural change. Developers need to rethink their roles and focus more on orchestration of services than on purely writing code.
Vendors conceded IaaS and PaaS solutions are still immature and suggested IT executives view the use of clouds as an opportunity/cost analysis problem. IT executives and their firms can wait until the technology matures or can invest now, shoot for first mover advantage, and risk the need for change when standards emerge that are not consistent with their implementations. The rewrite risk was postulated to be less expensive than the risk from market losses to competitors.
The panel discussed the requirement for common APIs and workload affinity and portability. While there was agreement on the need for common APIs, there was disagreement on the right level of abstraction for the APIs. All agreed workload affinity will apply to PaaS platforms, which means IT executives will need to determine which workloads apply to what PaaS offerings before attempting to migrate workloads. Successful PaaS solutions will allow for application portability on- or off-premise. The movement towards use of composable elements will enable this capability. The challenge will be the mapping of application services across divisions or organizations, as even file movements look different across organizations. The panel voiced support for software defined solutions, including software defined operators.
IaaS
In the IaaS track IT executives and architects expressed that there is no winning solution out there yet. Amazon AWS, Docker, KVM, OpenStack, Rackspace, Ubuntu, VMware, and Xen are amongst the cloud solutions in use. An AWS architect voiced the opinion that more banks use AWS than other solutions because the company works more closely with customers to meet their unique banking requirements than the others. For example, users expressed Amazon got it right when it bolted down certain components, like the hypervisor, while showing more flexibility elsewhere. However, it was clear from forum discussions that AWS's early dominance is no guarantee that it will remain the 800 pound cloud gorilla.
One IT executive expressed use of IaaS could solve the hygiene and maintenance issues while simultaneously driving down the cost of infrastructure maintenance and support. IT executives could view IaaS solutions as disposable – i.e., bugs are not fixed and upgrades not applied but platforms are discarded and new ones provisioned. Smartphones use this concept today and it could be a transformative approach to keeping infrastructure software current.
Operations movement to the cloud represents a paradigm shift for the development cycle and developers. Business executives are not enthused with paying for infrastructure costs, as it impairs margins and does not drive revenue. Thus, it behooves organizations to standardize on cloud platforms that can provide agility, portability, scalability, security and cost containment rather than have each application locked into its own infrastructure. This is a 180 degree shift in how the process is done today. IT operations executives need to convince senior management and development executives to change the development culture. However, all agree that this is most likely an 80/20 rule – 80 percent of the time a few IaaS platforms apply and 20 percent of the time uniquely modified platforms may be needed for the enterprise to differentiate itself to have a competitive advantage and make money.
Lastly, there was consensus amongst users and vendors that there is a need for, at minimum, de facto standards and a common taxonomy. The areas to cover are those currently found in the AWS implementation plus audit, federation, orchestration, and software distribution. The group wants to move forward with a focus on the areas of audit and compliance first, using use cases as the baseline for developing requirements.
PaaS
It became clear early on in the information exchange that PaaS means different things to different people – even within a company. There are PaaS offerings for analytics, databases, and disaster recovery as well as online transaction processing, for example, which can be self-service, pay-as-you-go, and on demand. The platforms may have different requirements for availability, compliance, orchestration, scalability, security, and support. Some PaaS solutions are designed for DevOps while others are architected for legacy processes and applications.
The executives chose to focus on business- and mission-critical applications and the solutions employed, such as AWS Cloud Formation, Pivotal Software's Cloud Foundry, GitHub, Heat, Jenkins, Murano, OpenShift, Puppet, Solum, and Trove. As can be noted, the discussion went beyond just the PaaS platform to application life cycle management. One conclusion was that IT operations executives should keep in mind that when talking to their development counterparts, the development requirements lists are more flexible than most claim or developers would not be able to use AWS. This bodes well for moving to standardized cloud platforms and away from development defining systems rather than requirements. However, in the near term, application dependencies will be a major problem that users and vendors will have to solve.
One of the executives warned that PaaS has a long way to mature and that one component not currently present but desirable will be graphics/visualization. He expects visualization tools to simplify the creation of workflow diagrams and the underlying processes. Since this parallels what has occurred in other areas of process automation, RFG believes it is highly likely that these types of tools will materialize over the long term.
When it became apparent that PaaS is more about the application life cycle than the platform itself, DevOps and life cycle management became the prime topic of discussion. Executives envisioned a PaaS solution that supported the development process from the PC development platform to production to future releases. However, implementation of standardized platforms and DevOps implies a transformational change in the development process. This does not imply eliminating choice; but choices should be limited without stifling innovation. Developers will need to be taught how to rapidly move applications through the development cycle through the use of automated tools. There are platform tools that can watch a repository, see a commit, check it out, run Jenkins on it, go through the quality assurance cycle and go live after it gets a "green light." This automated process can shrink the development time from months to minutes.
There was a consensus for a need to re-define the development lifecycle based on the new PaaS technologies, including delineating the baseline requirements and policies for automation, continuous build, and version control.
Compliance and Security
Initially attendees did not think there was much value in discussing compliance and security for cloud computing. But comments from an IBM security CTO got them rethinking their positions. She stated IBM is completely rewriting its internal security policies to accommodate cloud computing. Everyone needs to start over and rethink security architecture and controls, especially secondary and tertiary levels. The risks have changed and are changing more rapidly as time goes on. Therefore, auditable controls and security must be built in upfront not as an afterthought. This needs to be done on a global basis to contain costs. All units in an enterprise need to be on the same page at each point in time and maintain the trajectory of heading in the same direction for it to be successful.
Compliance is a different matter. While everyone is addressing security in some measure, compliance lacks common global standards for infrastructure, platforms and applications. FFIEC rules and ISO 22002 standards must be met along with NIST, FedRAMP, and non-U.S. standards in the countries in which the financial institutions operate. It is possible that there is 80 percent overlap but the standards must be mapped and addressed. One of the financial services firms has already mapped the FFIEC rules back to ISO 22002 but the rest has not been addressed. Once the appropriate compliance requirements are mapped, commonalities determined and gaps addressed, users can go to the regulators to request approval and can ask cloud providers to include the de facto standards in their offerings. The group agreed that a working group should consolidate current standards and guidelines, creating a document that can be agreed upon and taken to regulators for acceptance.
Additionally, IT executives need to ensure cloud service provider (CSP) contracts have provisions for certification and/or responsibility for controls. CSPs must take responsibility from a regulatory view, if they expect financial firms to be comfortable using their services. The contracts must also clearly call out the roles and responsibilities of both parties and the process for hand offs.
Common Architecture
The purpose of a common architecture is to enable application portability across platforms within an enterprise as well as for bursting out to private or public clouds to handle peak loads. This is not to suggest all cloud platforms support all applications. But for those platforms where there is workload affinity for a certain application set, the ability to move from one instance to another should be a simple task. The goal should be "one click" portability that gives almost instantaneous movement to another instance anywhere in the cloud or expansion that adds instances and allows for hybrid cloud environments.
The IT executives and architects concurred that the common architecture vision is a concept that may become a reality in the long-term but will require mature standards first. A discussion arose on the topic of whether Amazon AWS APIs and standards could be used as a baseline. However, Amazon pointed out that the APIs are copyrighted and approval would be required first. Amazon will look into the possibility of getting approval. In the meantime, the users agreed that the financial services firms will not wait for the availability of a common architecture but invest now to meet their business needs. As a next step, the group agreed to start developing the commonalities for the architecture.
Summary
The IaaS and security groups agreed to a joint effort to review the many overlapping Compliance standards for commonalities and reduce that list to a bare-essential set of requirements. Essential security elements will be added to the list. The PaaS group wants to use a declarative approach to indicating all the resources, and policies amongst the resources and for the PaaS platform. From a developer life cycle perspective, the group wants to include, in a declarative template, the various components of the application development life cycle. Amongst the items to address are the release levels including continuous builds and testing.
IT executives suggested including the OCC in the next session to provide regulators with guidance on financial institutions' direction for APIs, de facto standards, reference architectures and frameworks, and to perhaps influence the regulators' direction accordingly. Users also asked for the adoption of a mechanism for keeping track of workgroup progress and communicating that to other Forum members. Suggestions include tools used by other standards organizations and working groups.
In sum, the comments and conclusions of the IT executives and architects in the cloud forums are indicative of the challenges, requirements and directions of the top U.S. and global financial institutions. But the executives believe the time and resources spent in the development of requirements and standards will be worth it.
RFG POV: Financial Services firms are committed to moving to cloud platforms, both on-premise and in private and public clouds. Since they will not be waiting for the IaaS and PaaS offerings to mature, there is a strong commitment to work together to create baseline APIs, requirements and standards that can be frameworks for the financial institutions, regulatory agencies, and cloud vendors. These frameworks should enable the firms to reduce costs, drive cost efficiencies, achieve a level of vendor independence, and simplify compliance with regulatory requirements. Moreover, the frameworks should be applicable to other industries and enable any large enterprise to more easily and rapidly take advantage of cloud computing. IT executives should approach their move to the cloud strategically by defining their policies, frameworks, guidelines, requirements and standards, and performing opportunity/cost analyses first before committing to one or more target cloud architectures and implementations.
Grape Escape Showcases Apparancy and SYSPRO
RFG Perspective: Cost efficiencies, elimination of redundancy, and delivery of timely accurate information to users anywhere, anytime and on any device remains a top priority across the business landscape. In the manufacturing and distribution sectors U.S. business executives in small- and medium-sized (SMBs) companies have struggled like Sisyphus and the boulder to maintain their organizations; many have been snuffed out entirely. A new survey showing that manufacturing in the US is on the rise should spur cautious optimism among business executives. However, now more than ever these businesses need business process management (BPM) and/or enterprise resource planning (ERP) solutions to remove cost and redundancy and deliver just in time and timely information to executives and their staff wherever, whenever and on whatever device. In the healthcare sector the passage of the Affordable Care Act has been met with both criticism and praise. Its future is uncertain. What is certain, however, is that the Veterans Administration scandal has focused the lens on a persistent, growing problem: Veterans have to file a morass of forms to claim benefits they both need and deserve. The implementation of innovative technologies aimed at untangling and simplifying Veterans' benefits claims and scheduling processes as well as a cultural change that supports the technology would be a giant leap forward for these praiseworthy and selfless individuals.
The JRocket Marketing Grape Escape ® 2014 provided industry analysts with a rare insider’s peek at two of today's innovative, nimble, and multi-faceted technology vendors. The three-day event was a tour de force that showcased Apparancy and SYSPRO, two disruptive leading-edge companies that are reshaping their industry sectors.
Apparancy
Apparancy is delivering on its Know. Do. Prove. value proposition with an automated business process platform that initially aims at helping healthcare organizations connect multiple existing systems and data sources to achieve specific goals. At this year's event, Karen Watts, CEO of Apparancy, expounded on how Apparancy can help these organizations identify disjointed workflows, and eliminate redundancies and data overlap, by combining data and processes into single-purpose role-based views that eliminate the need to rip and replace.
The big news was Ms. Watts' announcement – appropriately - on Memorial Day that Apparancy had acquired usage rights to an earlier software product "TurboVet," which had already catalogued some five thousand plus Veteran's Administration forms. Apparancy has begun work on updating and integrating these forms into its platform with the end game of launching VetApprove in Q4 2014. If necessity is the mother of invention then, Apparancy, powered by Corefino, is filling a market vacuum with its VetApprove Veterans benefit product. VetApprove will revolutionize the way Veterans will be able to access their entitled benefits.
VetApprove will enable 22 million Veterans to apply for entitled healthcare, employment, education, state compensation, and disability benefits, as well as for other entitlement programs such as funeral benefits extended to spouses of veterans. This service will be offered to veterans free of charge. Additionally, it can become the underlying workflow management platform that would enable the VA to efficiently process applications, schedule services, and monitor and manage its operations, which are still antediluvian and lack accurate measurement metrics.
SYSPRO
Joey Benadretti, President of SYSPRO USA, announced a turnabout in US manufacturing trends. Citing MAPI survey findings, Mr. Benadretti pointed to a potential upswing in the future of US manufacturing. The study, which covered the period from 2006-2012, showed 19 states experiencing double-digit growth above the national average with the majority of those in the western states. He also pointed out that US manufacturing is moving from Mexican Border States (except Texas) to those states that are closer to the Canadian border. Output in two sectors is also accelerating and to address these trends SYSPRO is expanding into the automotive and energy manufacturing sub-industries.
On the product side the company's new SYSPRO Espresso provides an enterprise mobile ecosystem that can be tailored to satisfy front-end and back-end requirements. Features of the highly anticipated SYSPRO Espresso will include new drag and drop technology and mass customization for any device with an emphasis on being device agnostic. This ground-breaking technology supports single sign-on, is device-agnostic, and allows users to access multiple applications on multiple devices using a roaming profile so they can switch from one device to another and instantly connect. This creates an advantage for both the customer as well as SYSPRO, as the millennial generation will want to access ERP on their mobile devices. These tech-savvy users will also want to customize which apps they will want to see on their mobile phones, tablets, etc. due to the device real estate.
Not surprisingly, SYSPRO currently has one of the highest customer retention rates in the industry. Mr. Benadretti confidently remarked that his company will remain on the cutting edge of technology providing customers with product flexibility and low-cost solutions.
RFG POV: Apparancy and SYSPRO unveiled substantive, cutting edge, and innovatively disruptive technology solutions. Apparancy’s targeted focus will enable the beleaguered VA to begin to meet the urgent needs of its Veterans, while SYSPRO is enabling manufacturing executives to meet customer demands as the industry undergoes an uptick in growth and a geographic shift. Business, government and IT executives should proactively harness spot-on technology solutions to solve exigent business problems, respond expeditiously to clients, and manage change well into the future so that their organizations continue to satisfy customers and remain relevant as markets evolve.
Additional relevant research and consulting services are available. Interested readers should contact Client Services to arrange further discussion or interview with Ms. Maria DeGiglio, MA, and Principal Analyst.
Cybersecurity and the Cloud Multiplier Effect
RFG Perspective: While corporate boards grapple with cybersecurity issues and attempt to shore up their defenses, the inclusion of cloud computing models into the equation are increasing the risk exposure levels. Business and IT executives should work together to aggressively establish processes, procedures, and technology that will minimize the risk exposures to levels deemed acceptable. Additionally, senior executives and Boards of Directors need to play a more active roll in the accountability and governance of cybersecurity by discussing and addressing challenges, issues and status at least quarterly.
An article on the front page of the Wall Street Journal on June 30, 2014 discussed corporate boards racing to shore up cybersecurity. It alluded to a number of corporate boards waking up to cyber threats and worrying that hackers would steal company know-how and intellectual property (IP). In the first half of 2014 1,517 NYSE- or NASDAQ-traded companies listed in their securities filings references to some form of cyber attack or data breach – almost a 20 percent increase from the previous year. In all of 2013 1,288 such filing comments were made whereas in 2012 only 879 companies reported cyber statements. This is good and bad news – good that cybersecurity is getting CEO and Board attention and bad news in that executives are belatedly waking up to an endemic problem.
Fiduciary Responsibility
The Board and CEO have a fiduciary responsibility to shareholders to protect the company's assets from undue risks. It is not something that can be assigned and then ignored. Yet that is what has happened at many companies over the years. They must be involved in cybersecurity governance and decision-making on an ongoing basis and not shunt it off to Chief Risk Officers (CROs), Chief Security Officers (CSOs or CISOs) and/or IT executives. CEOs and other senior executives should also ensure privacy and security programs are aligned with each business unit's requirements and that the risk probability and exposures are reasonably known and reduced to an acceptable level. It is important that all parties understand that zero security risks are not possible anymore (nor would the expense be worth it if attainable); what is important is to agree upon what level of risk exposure is acceptable, budget for it, and implement initiatives to make it happen.
At the Board level there should be a risk committee that is responsible for all risk management, including cyber risk. Moreover, best practices suggest Boards should, as a minimum, address the following five areas:
- regularly reviews and approves top-level policies on privacy and IT security risks
- regularly reviews and approves roles and responsibilities of lead personnel responsible for privacy and IT security
- regularly reviews and approves annual budgets for privacy and IT security programs separate from IT budgets
- regularly reviews and approves cyber insurance coverage
- regularly receives and acts upon reports from senior management regarding privacy and IT security risk exposures.
These efforts can be done by the full Board or by a risk committee that reports to the Board. Some Boards may have assigned this role to the audit committee but, while it is good that it is addressed, it is not a perfect fit.
Cloud Multiplier Effect
In June the Ponemon Institute LLC published a report on the cloud multiplier effect. The firm surveyed 613 IT and IT security practitioners in the U.S. that are familiar with their companies' usage of cloud services. The news is not good. Because most respondents believe cloud security is an oxymoron and certain cloud services can result in greater exposures and more costly breaches, the use of cloud services multiplies the breach costs by a factor between 1.38 and 2.25. The top two impacts are from cloud breaches involving high value IP and the backup and storage of sensitive or confidential information, respectively. Most respondents believe corporate IT organizations are not properly vetting cloud platforms for security, are not proactively assessing information to ensure sensitive or confidential information is not in the cloud, and are not vigilant on cloud audits or assessments.
Moreover, disturbingly, almost 75 percent of respondents believe their cloud services providers would not notify them immediately if they had a data breach involving the loss or theft of IP or business confidential information. Almost two-thirds of those surveyed expressed concern that their cloud service providers are not in full compliance with privacy and data protection laws – and this is in the U.S. where the rules are less strict than the EU. Furthermore, respondents feel there is a lack of visibility into the cloud as it relates to applications, data, devices, and usage.
Summary
Boards, CEOs and senior non-IT management need to become more aware of their cybersecurity exposures and actively participate in minimizing the risks. IT executives, on the other hand, need to present the challenges, status and trends in a more business, less technical manner, including recommendations, so that the other executives can appreciate the issues and authorize the appropriate actions. As the Ponemon study shows, the challenges go beyond the corporate four walls into clouds they have no control over. IT executives need to become involved in the selection and vetting of cloud services providers. Furthermore, business and IT executives must work together and build strong governance practices to minimize cybersecurity risks.
RFG POV: Cybersecurity risk exposures are increasing and collectively executives are falling short in their fiduciary responsibilities to protect company assets. Boards, CEOs and other senior executives must take their accountability seriously and play a more aggressive role in ensuring the risk exposures to corporate assets are known and within acceptable levels. For most organizations this will be a major cultural change and challenge and will require IT executives to proactively step forward to make it happen. IT executives should collaborate with board members, senior executives, and outside compliance services providers to establish a program that will enable executives to establish a governance methodology that monitors and reports on the risks and provides cost/benefit analyses of alternative corrective actions. Moreover, at a minimum, corporate executives must review the governance materials quarterly, and after critical risk events occur, and take appropriate actions.
Cyber Security Targets
RFG Perspective: While the total cost of the cybersecurity breach at Target will not be know for quite a while, a reasonable estimate is that it could easily cost the company more than $500 million. The price tag includes bills associated with fines from credit card companies, other fines and lawsuits for non-compliance, services such as free credit card report monitoring for its impacted 70 -110 million customers, and discounts required to keep customers coming in the door. These costs far exceed the IT costs associated with better cybersecurity prevention. Target is not alone; it is just the latest in a long line of breaches that have taken major tolls on the attacked organization. Business and IT executives need to recognize that attackers and hackers will constantly change their multi-pronged sophisticated attack strategies as they attempt to stay ahead of the protections installed in the enterprises. IT executives need to be constantly aware of the risk exposures and how they are changing, and continue to invest in measured, integrated cybersecurity solutions to close the gaps.
The Target cyber breach represents a new twist to the long-standing cybersecurity challenge. Unlike most other attacks that came through direct probes into the corporate network or through employee social-engineered emails, spear phishing, or multi-vectored malware aimed at IT software, the Target incident was an Operations Technology (OT) play. One reason for this may be that the vendor patch rate has improved and successes of zero-day exploits are dropping. Of course, it could also be that the misguided actors were clever enough to try a new attack vector.
IT vs OT
Most IT executives and staff give little thought to OT software, usually referred to as SCADA (supervisory control and data acquisition) software. These are industrial control systems that monitor and control things such as air conditioning, civil defense systems, heating, manufacturing lines, power generation, power usage, transmission lines, and water treatment. IT (outside of the utilities industry) tends to treat these systems and the associated software as outside of their purview. This is no longer true. Cyber attackers are constantly upping the ante and now they have begun going after OT software in addition to traditional attack vectors. IT executives and security personnel need to become actively engaged in ensuring the organization is protected against these types of threats.
Incident Attack Types
In 2013 according to the IBM X-Force Threat Intelligence Quarterly 1Q2014, the top three disclosed attack types are distributed denial of service (DDoS), SQL injections, and malware. These three vectors account for 43 percent of 8,330 vulnerability disclosures while another 46 percent of attack types remain undisclosed. (See below chart from the IBM report.) The report also points out that Java vulnerabilities continue to rise year-over-year with them tripling in the last year alone. Fully half of the exploited application vulnerabilities were Java based, with Adobe Reader and Internet browsers accounting for 22 and 13 percent respectively. Interestingly, mobile devices excluding laptops have yet to be a major threat attack point.
Currency
Another common pressure point on IT organizations is keeping current with all the security patches authorized by software providers. The good news is that vendors and IT organizations are doing a better job applying patches. The overall unpatched publicly-disclosed vulnerability rate dropped from 41 percent in 2102 to 26 percent in 2013. This is great progress but still much remains to be done, especially by enterprise IT. The amount of patches to be applied on an ongoing basis can be overwhelming and many IT organizations cannot keep up, especially with quick fixes. Thus, zero-day exploits still remain major threats that IT needs to mitigate.
Playing Defense
The challenge for IT CISOs and security staff increases every year as the number and types of actors attempting to gain access to IT systems continues to grow as do the types of attacks. Therefore, enterprises must reduce their risk exposure by using monitoring and blocking software that can rapidly detect problems almost as they occur and shut off attacks immediately before the exposure becomes too large. Additionally, staff must fine-tune access controls and patch known vulnerabilities quickly so as to (virtually) eliminate the ability for criminals to exploit holes in infrastructures. Security executives and staff should work collaboratively with others in their field and share information about attacks, defenses, meaningful metrics, and trends. IT executives should ensure security personnel are continually trained and aware of the latest trends and are implementing the appropriate defenses as rapidly as possible. As people are one of the weakest links in the security chain, IT executives should also ensure all employees are aware of company privacy and security policies and procedures and are judiciously following them.
RFG POV: IT executives and cyber security staff remain behind the curve in protecting, exfiltrating, discovering, and containing cyber security attacks and data breaches. There are some low-hanging initiatives IT can execute to close some of the major vulnerabilities such as blocking troublesome IP addresses at the perimeter outside the firewall and employing enhanced software monitoring tools that can spot and alert security of suspect software. Additionally, staff can improve password requirements, password change frequency, two-factor authentication, inclusion of OT software, and rapid deactivation of access (cyber and physical) to terminated employees. Encryption of data at rest and in transit should also be evaluated. However, IT are not the only ones on the line for corporate security – the board of directors and corporate executives share the fiduciary burden for protecting company assets. IT executives should get boards and corporate executives to understand the challenges, establish the acceptable risk parameters, and play an ongoing role in security governance. IT security executives should work with appropriate parties to collect, analyze, and share incident data so that defenses and detection can be enhanced. IT executives should also recognize that cyber security is not just about technology – the weakest links are the people and processes. These gaps should be aggressively pursued and the problems regularly communicated across the organization. The investment in these corrective actions will be far less than the cost of fixing the problem once the damage is done.