A year on from his last article, Alastair Morrison looks at security issues for the smaller law firm and focuses on a future where the Cloud may be the safest place to be.
You might think that it is a little early to comment on how bad (or good) IT security has been this year, but then again, maybe not. As one commentator puts it 'We are just halfway into 2011, but it is already safe to say that it will go down in history as one of the worst ever years for information security.' Forgetting for a second that there are many companies whose data breaches we never hear about, due to their fear of irreparable reputation damage, the organisations we do know have been compromised show that no area is immune. From government bodies like the CIA and SOCA, through public sector organisations such as the NHS, to financial behemoths like Citigroup and global entertainment players such as Sony.
The sources of attack are equally varied. Governments continually remind us that they and we are constantly under cyber attack from other governments and government sponsored third parties; industrial espionage and sabotage have always been with us, and these too now have an IT dimension; then there are of course the 'professional' criminals, working for themselves or perhaps one of the aforementioned categories. However, the sources that seems most novel and has stoked up most interest recently, in the mainstream press as well as the IT security industry, are the loose knit associations of individuals who claim their actions are done purely 'for the fun of it', or for some questionable anti-establishment cause. These groupings have been labelled cyber-anarchists by some and the most recent examples are LulzSec and Anonymous.
Whatever one thinks about these groups and the reasons they give for their actions (when they do), they have certainly demonstrated that even the security precautions of major (let alone smaller) organisations are woefully inadequate. They show little concern for legal niceties or possible collateral damage to innocent third parties, as has been seen in their action of publishing the usernames and passwords of the customers of organisations whose security they have compromised. It is not necessary to antagonise them or do something 'wrong' in order to be hurt by these groups; we are all at risk.
We know that there is both a human and a technical aspect to keeping our organisations safe. I wrote about the human aspect last year and, human nature being unchanging, I won't repeat here everything I said then. However, while human weaknesses and the steps to protect ourselves against them change little from one year to another, technological threats are constantly evolving and, as we all know, recession or no recession, the pressure to reduce IT costs is always present. This can be particularly acute in the case of IT security where there is no obvious benefit that management can point to at the end of the day, but rather a perceived never-ending drain on resources. Success, in the case of security, is more a matter of what does not happen than what does; not something that is easily quantified or even identifiable when trying to boost your career, justify expenditure or, perhaps more relevant nowadays, simply argue against budgetary cuts!
There are many articles and check-lists available covering all the different sorts of technological protection you should have on your firm computers and the myriad of mobile devices available: firewalls, antivirus/malware, remote delete, complex (but not too complex) passwords, etc. But is there a big industry trend you should have in mind when you come to perform your annual security review? Yes, cloud-based security. This, depending on your confidence in someone else securing your assets, can be seen as an alternative to on-premises security measures, or its complement.
Currently most of us are familiar with, and use on our desktops and servers, products from the traditional IT security companies (eg Kaspersky, Symantic/Norton, Mcafee, Panda, Sophos, Avast, AVG) or that lumbering giant Microsoft, which has been providing security products for a number of years and has now started to see strong uptake with its Forefront suite. You will have your own opinions as to the worth of what you currently use and what you have used in the past.
You will also have your own evaluation procedure which you go through when reviewing your IT security, but whatever its form, be it formal or informal, I would suggest that three main criteria can be discerned in any evaluation process.
Given these criteria, what can one say about 'security as a service' compared to traditional in-house security?
Whatever level of security you choose a provider of hosted security will be supplying that level to many others. Thus, due to economy of scale alone, your security will cost a cloud provider a lot less than it will cost you, doing it yourself, for your firm alone, on your own in-house hardware. Competition among the online providers will ensure that savings are passed to customers, for whom there will be reduced hardware and software costs, and also, at least partially, less direct and indirect costs associated with employing in-house staff, or engaging consultants onsite. Furthermore, depending on the provider, you may be able to negotiate further cost reduction, particularly when the requirements go beyond the basic levels of security for which the cost is likely to be less flexible.
Obviously the more you have remotely hosted, the greater the security savings will be. However, you may choose to replace your server applications with cloud based offerings while keeping user desktops in-house. In that case there will still be staff and software costs associated with securing those desktops, but at least the overall security burden will be less.
On the other hand you may decide that your PCs should become smart terminals, making use of desktop virtualisation. This means that from your PC you authenticate to a cloud infrastructure where you load your computer desktop, which has security built into it. You will not need to buy/licence a security suite for however many PCs and laptops you have, and all aspects of security maintenance will fall to staff at the hosting company.
There are other less obvious benefits of cloud based security which can indirectly save money. For example, up to 80% of all e-mail is spam. If your spam filtering takes place in the cloud before the spam reaches the firm network then bandwidth is conserved, servers are not tied up opening and inspecting every message and attachment, and mail queues do not build up, all of which can produce demands for expenditure on ever more powerful servers and faster network infrastructure - not to mention disgruntled users.
Time, Effort and Disruption
The time and effort expended by your own IT staff will obviously be less the more that application programs and their security are dealt with remotely. While many may be happy to relinquish the security burden, to a greater or lesser extent, others will feel uneasy about this but, like it or not, this is an unavoidable consequence of moving an IT service to the cloud; the task of securing the service moves too! As with SaaS in general, disruption to the end-user in the firm should be minimal when the service being secured is cloud based. One might retort that there can be equally minimal disruption with security upgrades/maintenance on in-house software, as this can be performed outwith business hours. However, out-of-hours staffing costs, the undesirability of unsupervised access to offices and other concerns mean that for some firms this is not feasible, whereas these factors are not relevant when remotely hosted software is upgraded overnight. Moreover, and once again due to economy of scale, the whole operation is likely to be much slicker when it is the core business of the company doing it.
There is no easy way to comparatively evaluate this. Of course you could carry out your own virus scanning on a local copy of e-mail which has been delivered to your hosted mailbox and then synchronised with a local device. But would you really want to bother? Particularly as no security software is 100% flawless.
Probably a better gauge of effectiveness can be gleaned by considering the efforts security companies are putting into cloud based security.
Whatever one thinks, has experienced, or has heard about the effectiveness of cloud based security, there is no doubt that it will improve. This is because it is in the security industry's own interest to ensure that it does. Some would even go further and say that it is for the IT security industry a matter of self-preservation. This claim can be explained as follows.
Security companies, like the rest of us, read the analysts reports about the escalating take-up of cloud based services of all types (SaaS, IaaS, PaaS, etc). Gartner, for example, predicts that worldwide revenue from cloud services will top $56 billion this year, a 21% increase on last, and that by 2013 the figure will be $150 billion. It sees no sign of the trend slowing down and claims that much of that revenue will come from the replacement of on-premises software.
The security companies know that the more customers use cloud based applications rather than their own in-house desktop and in-house server software, the more the demand for traditional on-premises add-on security software and its associated subscription fees will diminish. There will be a corresponding increase in demand for cloud based security from the companies providing the online applications but this will not produce complacency within the IT security industry. It has always been fiercely competitive and that competition, plus the relative ease with which hosting companies can switch from the products of one IT security company to another, will compel the security companies to provide products every bit as good as the traditional 'bolt-on' ones. The margins may be slimmer than if selling to retail customers but that market is only going to get smaller.
Both Forrester and Gartner predict an unremitting increase in the uptake of SaaS/the Cloud throughout the IT world, with the revenues generated increasing threefold within two years. The major security players seem well aware of this trend and the potentially damaging effect it could have on their traditional revenue streams.
Cloud based security has of course, to some extent, existed for quite a while, though it has not always been labelled as such. For example, there have long been message scanning companies that sanitise the incoming and outgoing e-mail of an organisation before forwarding it for delivery.
What is markedly different now is the number of, and vast size of, cloud based companies providing for users ever more services (both new ones and replacements for in-house ones). Whereas the earlier incarnation of SaaS, the ASP bubble, was the preserve of smallish, niche service providers, which the security industry could pay lip service to, today's providers of cloud services are mainstream companies which are here to stay and becoming ever bigger. The IT security companies are now turning their expertise to these hosts and the service delivery methods they use. This shift of focus is bound to be at the expense of their traditional in-house server and desktop security products.
The longer term and more drastic change as regards IT security could be the end of security technology as a distinct and separate part of the IT landscape. Evidence of this can already be seen in some of the company consolidation of recent years, with larger security companies buying smaller ones, and providers of other services acquiring security businesses in order to make security an integral part of what they do (rather than something which is added-on). Thus we have Google (an online service provider) buying Postini (a security company), Symantec (a large security company) buying MessageLabs (secure messaging), and RSA (a security firm) becoming a division of EMC (traditionally storage and backup/archiving).
The absorption of security operators by other IT concerns is not confined to the world of online services, as the above examples illustrate, but it is something that the move to the cloud is likely to accelerate. Therefore, whatever one's inherent inclination as to how the technological (as opposed to human) side of security should be addressed we may increasingly have little choice. We may simply have to accept that securing our assets is going to move more and more out of our hands. For many that would be welcome as the idea of security being imbedded within IT programs and hardware, rather then something the user has to address themselves, has long been something most have desired.
Alastair Morrison works at Strathclyde University where he evaluates, implements and runs IT services: firstname.lastname@example.org