Rethinking Security for a Transformative Era

June 13, 2022

Staying on the leading edge of technological change while managing the impact of costs, resources and complexity are at the heart of digital transformation. It touches almost every aspect of the organization, from supply chain to customer service to operations and more. Each company has its own reasons to embark on the journey and regardless of what they may be, digital transformation and cloud migration are two of the largest, most important projects any corporate enterprise undertakes. Together they present tremendous benefits as well as challenges that can make or break the enterprise.

That’s why many enterprises take great care in crafting their digital transformation and cloud migration strategies. They think holistically and assess how these projects will affect every endpoint in their increasingly distributed companies. They create detailed long-term road maps. They organize their strategies around business goals and desired outcomes, and not the technology used to achieve them. They carefully evaluate, implement, and then continuously assess to ensure their environment is secure.

The Covid-19 pandemic has only heightened importance and accelerated what already had been high-priority digital transformation projects for many companies, speeding up adoption in some cases from years to mere months. The pandemic sent workers home, increasing remote networking, broadening the distribution of endpoints, and driving more resources and applications to the cloud where they could be accessed more easily reshaping the “virtual world” where video conferencing, cloud connectivity, application performance, and security are more important than ever. Most companies have adjusted their grand strategies with these trends in mind.

Security Still Secondary

With so much care taken to make sure these timely projects meet and exceed expectations, it’s surprising that security sometimes trails behind in the discussion, rather than something baked into the project from the very beginning.

This is especially concerning at a time when security threats and attacks only continue to increase and grow more sophisticated. Ransomware, distributed denial-of-service attacks, and attacks focused on specific-user applications now appear to be carrying through from the enterprise premises right into the cloud. In fact, a Verizon study from earlier this year found that more cybersecurity incidents now involve external cloud assets than on-premises ones.

Prioritizing Security

It is becoming clear that industries and individual enterprises can’t go much further with digital transformations and cloud migrations without rethinking their approaches to security and making security a first-class citizen rather than a secondary consideration.

Here are some key ways to bring security to the forefront:

Think holistically. Take the same comprehensive, end-to-end vision applied to digital transformation and cloud migration, and do the same with security. Bring security directly into that big picture. Security needs to be end-to-end, and it needs to be thought of in unison with network and computer. If connectivity and data analytics extend to distributed endpoints, but security capabilities don't, the network and computing resources at those endpoints are vulnerable.

Start early. Security needs to enter the conversation much earlier. This is the only way for security planning, evaluation, and testing to keep pace with these migrations and the new aspects of the network and computing infrastructure that need protecting. Starting early means security should be baked in during the design phase and doesn’t come along later in the form of a last-minute, add-on product.

Create a roadmap. Digital transformation and cloud migration strategies take various twists and turns on the way to their destinations. They move very quickly at times and more slowly at other times. Security needs to follow the same roadmap at the same pace, with pit stops along the way to check progress. To reiterate what’s becoming a common theme, don’t buy a security product as an afterthought and simply install it all at one point in the roadmap.

Get people involved. The CISO job is becoming a more common one in enterprises, but many companies still lack dedicated security teams. Even in those that do have security as a box in their org charts, security needs to be an enterprise-wide concern and effort. Any and every human, device, and application are potential points of vulnerability and attack, and that makes protection everyone’s responsibility.

Aim for business outcomes. Again, thinking about security as a product that can be installed when everything else is in place is the wrong way to go. Think about security in a business context, not in a technology context: What is the ultimate goal? What is the desired business outcome?

Physical Security. Cybersecurity shouldn’t be the only focus. It is just as important to physically secure a premise with video surveillance, card readers, security guards, etc. Having a clear understating of what people are entering a location and at what time is crucially important. And it is not just about securing access to a location but understanding the context and levels of information to which employees and contractors have access.

Zero Trust. Over the last 20 years organizations have allowed many users, applications, and devices (referred to as actors) to connect to their networks, even though the technology has been available to only connect what is pre-authorized. Amid growing threats, actors accessing target destinations must be authenticated and authorized by enforcing rigorous access control policies. Continuously inspecting, monitoring, and logging sessions from the different actors are also important. This requires data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around digital resources.

Work from Anywhere. Networks have been getting increasingly distributed, and it’s time to embrace Secure Access Service Edge (SASE), the notion of an edge-cloud-centric, rather than a Customer Premise Equipment (CPE)-centric security solution. SASE is a managed cybersecurity service provided to a subscriber (e.g., an enterprise) to enable secure access and connectivity anywhere. This access is independent of the location (public cloud, private cloud, on-premises, Internet, etc.) of the users, devices, or applications and authorized according to Zero Trust policies (see above).

Embrace standardization and certification. Standards and certification help ensure that products and services such as SASE and Zero Trust work as intended so that cloud and service providers and enterprises can know pre-deployment if security solutions are going to work as planned. Standards provide a common language to the ecosystem, prescribing what and how it should be done. And certifying products and services pre-deployment and ongoing provides an added level of assurance—important as more companies adopt new approaches to networking and security like SD-WAN, SASE, and Zero Trust.

In the era of digital transformation where everything is connected, security capabilities need to extend end-to-end across the organization. There are several steps to help get this done on a massive scale, beginning with thinking holistically, starting early, and mapping out a plan. Getting the whole organization involved and focused on business outcomes is key, as is adopting industry-standard approaches to ensure success. Secure SD-WAN, SASE, and Zero Trust standards with service behavior, attributes and policies can help enterprise employees work from anywhere with security baked in. Prioritizing security from the beginning helps companies protect their investment and realize the tremendous benefits enabled by digital transformation.

About the author: Pascal Menezes is Chief Technology Officer at MEF, a global industry association of network, cloud, and technology providers who drive network transformation to power the digital economy.

About the Author

Pascal Menezes | CTO, MEF

Pascal Menezes is Chief Technology Officer at MEF, a global industry association of network, cloud, and technology providers who drive network transformation to power the digital economy