News/Trends, Tech/Engineering

A Minimalist Guide To Enterprise IT Security

I’ve been thinking recently about how to apply the concept of Minimalism to modern-day security and infrastructure problems. As I look at the various IT products that glorify owning the “entire stack,” pushing for on-premises solutions in a cloud-enabled world, I realize that there may be a better way.

For as long as I have been in the world of enterprise IT security, there has been a need for more tools, actionable information, and new solutions to automate the remediation of the latest threats. At some point, you look around and have so many alerts, tools, threats, and compliance and regulatory requirements that you end up wanting to rip down the current security infrastructure and start from scratch.

I am huge fan of Joshua Becker, one of the leading authorities on minimalism, and often refer to his advice as I look at decluttering various things in my life. One of the tenets of minimalism is to reduce the number of things that you own so you can focus on that which is most important. As I look at the various IT products that glorify owning the “entire stack,” pushing for on-prem solutions in a cloud-enabled world, I realize that there may be a better way.

One of the major sticking points in moving to the cloud has always been security. This fear is often used as a justification for continuing to maintain and build on-site infrastructure. However, you only have to look at the myriad security capabilities, certifications, and attestations of both AWS and Azure to see that that argument does not hold water. AWS’s data centers, for example, feature numerous industry certifications, including SOC 1 (which covers SAS-70 Type II and its replacement, SSAE-16) and ISO-27001, and use state-of-the art electronic surveillance, multi-factor access control systems, and 24×7 physical security guards. These capabilities are being complemented further by SaaS vendors like Druva who provide value-added security above and beyond what AWS and Azure provide.

The other claim I have encountered is that on-prem infrastructure is always more secure because it’s under “organizational control”—otherwise known as the “we know where it is” argument. But does this actually make an on-site data center more secure? Not really. If one person knows where the data center is, it’s highly likely so does the rest of the organization, and those that know about it already have physical access.

Considering that 80% of security breaches come from inside the firewall (generally by employees), this argument doesn’t really add up. Given the fact that organizations that leverage the cloud can take advantage of servers in secure hosting facilities around the globe, one could argue that this leads to better security, with data dispersed across a number of protected locations rather than confined to a single, vulnerable one.

It’s actually quite illuminating to see what is already in the cloud. Most organizations are already leveraging SaaS for critical applications; HR applications like Workday have been in the cloud for quite some time; Oracle and SAP have both certified their applications to run on cloud infrastructure like AWS and are seeing continuous customer adoption and growth.

Most notably, Salesforce recently declared AWS its “preferred” public cloud infrastructure platform. The SaaS provider will be spending about $400M with Amazon over the next four years and will connect its core services—including the Sales Cloud, Service Cloud, and App Cloud—to AWS. New Salesforce offerings, like its upcoming Internet of Things (IoT) Cloud service, will also be on AWS. Considering that Salesforce takes security very seriously, and has long hosted these applications in its own datacenters, this is a game changer. It’s clear that Salesforce would not move these apps to the cloud unless all its concerns around cloud security had been resolved.

It seems to me that IT organizations should be focused on finding solutions that enable business agility rather than worrying about owning and maintaining on-prem infrastructure and stack components that are readily available in the cloud, with security already built in. And if security is no longer the issue, tell me: why would you want to own the whole stack?

Learn why cloud-based enterprise data protection makes sense for your organization today, and how Druva is leveraging the public cloud for state-of-the-art backup, archiving, and disaster recovery, by downloading the executive brief below titled ‘Leveraging The Public Cloud for Enterprise Data Protection.’