A Cloud Managed Service Provider Can Help With Data Protection
Data security is a critical component of a comprehensive risk management strategy. Organizations must analyze their security risk, taking into account factors such as industry, types of data being stored, the value of the data and the threats most likely to impact the business. Then they need to decide how much risk they’re willing to accept versus how much they’re willing to spend on security.
“You have to do a risk calculation,” says Tony Petta, IBM Cloud Managed Services Compliance and Audit focal. “Look at your data and determine its value. Then you know that if a breach occurs, you might lose this much data that has this much value financially, in reputation or otherwise. Draw your line on risk and base your security decisions on that.”
“An MSP like IBM has the advantage of knowing the entire data ecosystem. IBM has done it internally across every type of business.”
—Tony Petta, IBM Cloud Managed Services Compliance and Audit focal
Picking the right cloud managed service provider (MSP) is an important way to ensure data is optimally protected.
Cloud Can Be Secure
Over the last several years, as organizations have gained a better understanding of how cloud works, their perceptions have changed. They now realize high-level data in the cloud can be secure. Even if multiple VMs share a cloud, each machine’s data can be protected so others can’t access it.
Companies increasingly view the cloud as a cost-effective alternative to on-premises data storage that, with the right MSP, can be secure. However, no storage platform is completely attack-proof. Nation states, hacktivists and criminal enterprises are becoming increasingly sophisticated in how they breach security. Their attacks take on many forms, including malware, spyware, ransomware and zero-day attacks that exploit software vulnerabilities.
“You can’t really button up a solution with security so that it’s totally safe. As long as people are involved, with passwords and the like, it can be compromised, and that goes for cloud and non-cloud alike,” Petta says. “Threats are constantly evolving and changing. When IBM deploys a solution, we say we can defend against what we know is out there. But new threats are always being developed that we don’t yet know about.”
Solving Pain Points
Some cloud environments have thousands of VMs operating on hundreds of physical servers. Managing a solution that large can be difficult. It involves regularly checking each machine to see if the security settings have been changed, and if so, determine when and by whom. These security health checks are a pain point for companies because they require identifying and solving or patching vulnerabilities.
Plus, OSes are constantly being upgraded. For some clients, performing upgrades entails patching each of the thousands of machines in their virtual environment. An MSP can provide that service much faster and more efficiently than internal IT services. For example, IBM has automated the process to apply thousands of patches to a customer’s VMs in a weekend, Petta points out.
Qualified MSPs are also able to streamline security through automated processes. MSPs can rapidly deploy OSes on servers so they all have the same security setting, which makes updating fast and consistent across all systems.
For many companies, cloud can play a role in the standardization of images on a computer. An image is a single VM of a given configuration that’s copied, like a template file, repeatedly on hypervisors to create many customer VMs quickly and identically. When organizations build OSes on one computer at a time, the computers aren’t consistent. One computer may be designed to meet one business need, and another for something different. In the cloud, the same system can be deployed repeatedly so every environment is identical.
“This allows you to build VMs so they’re all the same and the security is the same. This is a big deal for clients when they have a cloud as a dynamic environment that can allow for growth,” Petta says.
“A retailer might need 3,000 VMs to run its business during the holidays, but only 500 in the summer. That’s where standardization comes in. You can scale up with 2,500 new machines that are all the same. There are no human errors, and the images can be regularly updated and patched before deployment to always have the most recent security updates on them when they are installed.”
Layered Approach
Integrating security into every layer of the cloud, from the data center to the OS with regular security scans to spot vulnerabilities, is the best practice. Although it’s possible to bolt-on security measures later—which is better than no security at all—retrofitting is almost always more expensive than implementing security measures that are in place during deployment.
“If you build in security at every layer, it’s a much stronger solution than if you have a cloud that’s partially secure, and then you come back later and say, ‘I need a security system for my network or my database or my application’ that gets added on later,” Petta says. “When you try to use different solutions, they may not talk to each other very well and leave gaps.”
In addition, if multiple vendors’ technologies are used, they may not integrate, leaving it difficult to secure the data. “They may not coordinate in the way you want them to. At IBM, we don’t roll out anything without security built in. We make sure each layer talks to the other layers,” Petta explains.
For example, some security firms are now leveraging big data and analytics for data protection. These companies collect security-related data from about 100 of their customers, and then analyze it. The insights inform their customers about security threats, such as what types of attacks are likely, where in the network they will strike and the possible impact if successful. Companies can use that intelligence to thwart attacks and safeguard the data environment.
“We now have so much computing power, IBM Watson* technology is one example, that can crunch, analyze, and slice and dice so much data to see trends and behaviors, and prepare for threats more effectively,” Petta said. “Machine learning will also play a role by recognizing bad actors. This is technology to get ahead of the breach to prevent it instead of react to it.”
MSP Differentiators
Public clouds are secure in certain areas, but don’t provide comprehensive end-to-end security. By contrast, an MSP can deliver the level of security the business needs and is then responsible for that level of health and protection for the system.
“With public clouds, once they take the payment and deliver the resources to stand up the cloud, everything above the hypervisor, which is what creates the virtualization layer that runs directly on the hardware, is your responsibility,” Petta says.
“If something breaks, something is compromised or data is stolen, it’s not their problem. It’s your problem. Providers like these are now beginning to offer a type of managed services from a third-party provider, but this type of bolt-on security has its gaps and issues integrating with customer environments.”
In an MSP environment, businesses can select from a menu of options, ranging from no security protection to full services that include managing the OS, database, applications and security. MSPs that have experience with databases and applications are usually knowledgeable about how to protect data at every step, from transmission to application uses to storage.
“An MSP like IBM has the advantage of knowing the entire data ecosystem. IBM has done it internally across every type of business,” Petta said.
Strategies and Solutions
As organizations know, hackers who want their data will be relentless and oftentimes creative in their attacks. As new security solutions become available, hackers are also taking advantage of the cutting-edge technologies. For example, hackers are now using machine learning to figure out how to breach security systems.
One of the best ways for organizations to protect their data in the cloud is to work with an MSP that offers strategies and solutions that meet the needs of the business. While no technology is guaranteed to stop all attacks, MSPs understand best practices and solutions to mitigate threats and offer the best security possible.