More than a few experts labeled 2014 as the “year of the breach”, and a list of all the companies that experienced security issues last year would be an entire article itself. Massive organizations are the ones that get the headlines when they experience a security issue, but companies that are infinitely smaller are just as vulnerable to breaches, if not moreso.
Internet security online business concept photo from Shutterstock
More than a few experts labeled 2014 as the “year of the breach”, and a list of all the companies that experienced security issues last year would be an entire article itself. Massive organizations are the ones that get the headlines when they experience a security issue, but companies that are infinitely smaller are just as vulnerable to breaches, if not moreso.
To find out what small to medium sized businesses can do to educate and protect themselves, we had a chat with Signiant CTO Ian Hamilton. We previously talked with Ian about software as a service (SaaS) solutions that are scalable and easy to use, but his background and focus is around security, so we took this opportunity to discuss the fear that some people have when it comes to outsourcing, why security experts need to be agile, what role users play and plenty more.
ProVideo Coalition: We’re not too far removed from NAB 2015, where Signiant had a large presence in the South Lower Hall. What sort of discussions were you having with attendees, and what stood out to you the most about them?
Ian Hamilton: I had many conversations with people who were looking to utilize cloud services to augment on-premises deployments. A common theme was that they all wanted to know that they were spending their money in a way that was going to give them a real and measurable business benefit. What stood out this year in particular was the accelerating interest in SaaS
Of course, one of the concerns that people immediately have when they’re using outsourced services as opposed to managing things themselves is the security of the whole system. What many of them don’t realize is that when you look at the small and medium-sized business space, leading cloud infrastructures as a service vendors can achieve a much higher level of security just through economies of scale than most SMBs can achieve themselves. So this is an interesting conversation to have with those smaller businesses.
At the enterprise level, the same sorts of benefits apply, but obviously large enterprises can get some economies of scale when investing in their security practices. That said, information security isn’t necessarily a core competency they want to invest heavily in like it is for large-scale infrastructure as a service vendors like Amazon, Microsoft Azure and the Google.
It’s interesting to hear that there are still concerns about using outsourcing services. Not trusting a vendor whose sole reason for existence is to provide this particular service could work against that company’s interest, can’t it?
Absolutely. It goes back to the concept that it’s someone else’s computers, someone else’s software, and some people inherently don’t trust anything that falls under such categories.
There are always going to be individuals who think that if they don’t control every single aspect of something then it’s at risk. But for most people, interacting and trusting other professionals is the best way to extend what they can accomplish as individuals or organizations. Certainly, trusting but verifying is part of that process, but that’s a step anyone who wants or needs total control won’t ever take.
Increasingly, people want to know what business benefit they’re getting from what they’ve purchased. When they’re purchasing SaaS, the relationship between expense and business benefit it much more direct, which often overrides the people who think that anything that isn’t completely under their control is inherently vulnerable. But SaaS can also improve your security posture through the same advantages that economies of scale and narrower focus give IaaS (infrastructure as a service) vendors.
In your opinion, how many security breaches and issues come down to users not doing what they’re supposed to be doing?
I think it’s the majority. So many breaches start with what some people call a wetware attack, or an attack on people, where they’ve either been phished for information or tricked into running some malicious piece of software on their machine. Attacks that are associated with technology often leverage weaknesses in technology to be able to trick humans and gain further access, as opposed to outright compromises of security functionality providing direct access.
So much of it then comes down to proper training, which makes it essential for technology vendors to ensure the security aspects of their product are easy to use and understand so that people aren’t as vulnerable. That goes for users no matter what their role happens to be, whether it’s end users, operational administrators, etc. Gone are the days of the tradeoff that some said existed between security and usability. I think unless something is usable, then it can’t be secure, and mindsets are shifting in that direction.
When you have some convoluted method for specifying how you want your assets protected, people are going to make mistakes and you’re going to have compromises as a result. Security and usability are intimately connected in my opinion, and that wasn’t always the way security experts thought about this problem.
Internet security system photo from Shutterstock
In light of so much publicity around security breaches, are you finding that users are wanting to talk with you more about security issues and measures?
We’ve definitely seen an increase in the interest in security. I think it’s a result of the hyper-connected world that we live in now.
With everything being electronically connected, people are really concerned with what sort of incremental exposure that adds for them. Interconnected systems need to be designed with security in mind, and “defense in depth” is a key secure design principle that I talk about a lot in this context. Defense in depth advocates that you can’t rely on a single security mechanism to protect all your assets. You need to have multiple layers of protection around your assets because you never know where attacks are going to come from. This is key to securing assets in this hyper-connected world.
How often do you see security measures get in the way of productivity?
Security measures definitely can get in the way of productivity. The most efficient way to interact is in a world where you can blindly trust everyone you encounter. This gets a lot of overhead out of the way, but it doesn’t reflect the world we live in. I’m not saying that security measures can’t have any cost associated with them or people won’t use them, but they need to be designed in a way that everyone understands them, and then in turn will utilize them, because they understand the protection and benefits they’re providing.
Based on the productivity gains associated with everything being so connected, the security cost is one most people are more than willing to pay when the security mechanisms are designed properly and easily understandable.
What’s one thing that professionals typically don’t grasp about security?
Many content production professionals don’t necessarily think about some of the larger risks. So many people are of the mindset that they only need to prevent the theft or unauthorized exposure of their content, but that’s only one aspect of a larger issue.
If an organization experiences a breach, it might have to completely shut down its operation for days or even weeks, and the cost of that shut down is in addition to whatever costs are directly associated with the breach. Shutting down every single computer and network interface in response to a significant breach, means operation comes to a complete halt. The costs associated with that sort of completely justified response can be astronomical.
When people fist think about threats, they don’t often think about things like their reputation, being able to conduct business, etc. They’re often focused on stopping pirates from getting their hands on the content and the direct impact that has on lost opportunities to monetize the content, but that really can’t be the only concern or where the conversation ends.
Will technology developments ever completely take users out of the conversations around security? So that on a user level they never have to see or deal with the security measures that have been put in place?
I think so. That’s ultimately the goal.
If you look at what’s going on with web applications and installed applications on every platform, they’re all trying to create an environment where everything is sufficiently sandboxed from everything else, so you can’t shoot yourself in the foot. And that’s a lofty goal.
With the usability of security functions, we’re definitely making progress. Just sandboxing applications and loading applications from app stores that have been vetted by third parties is an example of that. We’re making some great strides in that area, and ultimately I think we’ll get there.
Of course, even when we create that cordoned off sandbox, there are always going to be new threats that haven’t previously been factored in, and that’s another key thing that security professionals have come to realize. They have to be agile. You can’t design a set of protections and then expect them to be effective forever. As the threats evolve, the protection mechanisms need to as well.
At what stage of a project should professionals be thinking about their security measures? And how can they start this process?
In terms of how to start, it really begins with a threat analysis. A look at what the assets are, what the risks to the asset are and what protections need to be put in place to address those risks.
The reality is that this should happen as early as possible. Security is an issue that’s going to need to be dealt with sooner or later, and “later” can mean major problems.
From the perspective of a software development company, it’s much easier to start with security as an upfront design goal and implement it through the process, than it is to get to the end and say it now needs to be secure. The former approach is almost always successful, and the latter approach is almost never successful.
And these sorts of protocols and tools aren’t limited to humongous organizations, aren’t they?
SaaS is a great enabler for smaller businesses that might not be able to achieve the same level of security on their own based simply on economies of scale and expertise. There are solutions available that allow them to achieve a significantly higher level of security by outsourcing responsibility for it.
And that brings us back to the concept of not being nervous or concerned about outsourcing such things.
Exactly. There are tools that can effectively protect organizations no matter how large or small they are, and the value associated with those expenses can be quantified. Running that threat analysis is a great way to start, and will help organizations discover how much they need to take on themselves and where prudently applying SaaS can help.