As IT continues to empower a new, digitally-transformed world, infrastructure capability isn’t the only thing that needs to become more agile and flexible. IT security must also evolve to be more adaptable, more proactive and less reactive to let today’s workforce embrace the cloud.
After all, it doesn’t make sense to unleash new, agile IT applications only to weigh them down with traditional security strategies that create delays, restrictions and outright denials.
For example, in some cases with IT as a Service, a user can provision a virtual machine (VM) in five minutes but then must wait three to five days before security allows access to the data he or she wants to work with.
The question is, how is IT security going to change in this new digitally transformed world so that we can fully take advantage of the agility and simplification of cloud-enabled infrastructure.
A key part of the answer lies in a new approach to trust and risk assessment.
Not just saying ‘no’
The longstanding approach of traditional IT security organizations to safeguarding information has been based on building perimeters and firewalls around assets largely controlled on-premises. That worked when data was used within a traditional on-premises data center but is clearly unable to scale for the continually expanding, mobile and collaborative way today’s IT clients use information.
In the face of increasing amounts of off-premises data , traditional security practitioners have taken a position of “block first”— “I don’t trust you and I am going to block everything you do and then only give you access based on my risk appetite.” However, that is not a model that aligns with the agile and collaborative goals of IT and business today. ‘No’ is not a solution and ‘No’ is not an answer.
The good news is that, in the face of a more modern infrastructure and a much more mobile workforce, the security conversation is being turned around. Digital solutions feature new capabilities that allow IT to manage access, determine context of risk and take action based on risk profiles. Such built-in security safeguards make securing data more flexible, and actually reduce the amount of risk by shrinking the threat vectors compared to traditional restrictions.
As a result, security experts are beginning to recognize the merits of trusting IT and the business to deliver secure solutions through protections that are built-in and not bolted-on. They are shifting from permission-based security to an intelligence-based, risk management approach.
For instance, rather than relying on the traditional user and password that provides access to core IT resources, IT environments are being built with access management safeguards that provision who can access specific data based on predetermined requirements. Such built-in protection guardrails lessen the potential threat to the specific environment since the protections remain in place inside or outside the firewall. What’s more, the built-in controls create added user flexibility because when developers want to add a new app in the environment, they won’t have to go back to security and wait multiple days for them to open a firewall to allow it.
Overall, the idea of security being more proactive and less reactive, and designing more measured responses to threats creates a new conversation: It’s not just saying “no, you can’t do that.” It’s saying “okay, what is the risk exposure” and then understanding what the business impact will be from that risk.
Security’s new role becomes more of a governance and oversight entity, setting guardrails around how solutions will operate.
Security transformation in progress
We at Dell IT are in the process of transforming our IT security approach as part of our overall digital transformation, workforce transformation and IT infrastructure modernization programs.
The new cloud infrastructure capabilities we are building span not just our private data centers but also extend across public data centers hosted by public cloud providers. The challenge is to sort out the different security rules and regulations and means of segregating access and infrastructure to define what kind of data lives safely in what structure or zone.
One example of a refined access policy is the creation of a network specifically for contractors that work for Dell. Previously, contractors would get a laptop and access to the company network just like regular company employees. With the new system, contractors sign in to a specific (VDI) image that defines what they can and cannot access. That provides proactive controls built in before they get on the network and start doing things.
In another proactive security measure, we have created a password portal for administrators who often access core information that machine generates a new password for them every 24 hours, rather than our routine requirement that users change their password every 30 days.
As we continue to advance on our digital transformation journey, our IT security strategy will also continue to evolve to improve users’ digital experience and enhance their productivity while providing adaptive and intelligent data protection built on a new level of trust and collaboration.
In another post by Ujjwal, discover Dell’s approach to Pursuing the Modern Data Center–where infrastructure lives to support cloud security.