Cloud Hosting

Times may change, but standards must remain. Or, rather, technologies may change but user behaviour remains. Shadow IT has been in place at many organisations long before the launch of the smartphone, and attempts to take control of it, from the clunkily-named bring your own PC (BYO PC), to the more streamlined BYOD, have been just as common.

Now, instead of just shadow IT, we have shadow cloud, as well as what Zscaler recently described as shadow IoT. Its all about complexity, and for security managers, keeping an ever-increasing circle of sharks at bay.

Chris Burtenshaw (left) is founder of Strata Security, a company which aims to provide joined up cybersecurity, removing the silos and giving easy-to-digest insight across an entire estate. With the better part of two decades experience as a cybersecurity consultant, Burtenshaw kept seeing the same requests from his clients. His response was to build out a scalable solution and thus Strata was born.

What typically would happen is, towards the end of an implementation for a very expensive monitoring tool maybe it was a multi-million pound project somebody would pop up and say how do we show this is delivering value? Burtenshaw tells CloudTech. The tools themselves arent necessarily the best place to show the context of the tool.

So what I ended up doing was building one-off snapshots, usually in Excel, that allowed them to see what their tools were doing, how those tools were performing, and how they worked with a real customer cybersecurity strategy.

It is safe to say the companys main product, Strata Insight, is a little more sophisticated than an Excel sheet. As the company puts it, Strata creates metrics that correlate to security control frameworks granting a new level of mastery over such controls. In this way, [it] helps reveal hidden risks, gaps and imbalances. To give a basic example, imagine you have one or more anti-malware tools, and want to know if they are up-to-date across all your systems. Strata brings that coverage data together, enabling you to quickly spot gaps plus track performance against controls.

The question of why such a solution is needed raises itself. Complexity is one thing, but should the security vendors themselves have a bigger part to play? What generally happens is there is a disjoint which comes in during the sales to implementation to delivery process, explains Burtenshaw. A product is typically bought to solve a specific, identified need, and often that can be a technology-driven process thats led to the selection of that particular product.

As the project continues, the focus then switches to business, he adds. Great, weve got this new, lovely, shiny thing, but how is it delivering all of our strategy?'

The exponential rise in cloud services usage be it companies dipping their toes into the water to others actively exploring multiple clouds for different workloads has been noted, even since the beginning of 2018, when Strata was founded. Most people now are very much taking something like a cloud-first approach as far as possible, says Burtenshaw. That combination of a smorgasbord of public and private cloud services, plus the traditional on-prem environment for large organisations, that isnt going anywhere.

From a security teams perspective, obviously youve got to identify what those clouds are, and make sure theyre secure, because as we all know it just takes one unpatched server somewhere in an uncontrolled environment and youre all over the front page.

This is a marked change from even five years ago. As Burtenshaw notes, the pre-cloud world was still complex, but in a different way. One of the biggest challenges for larger companies was mergers and acquisitions, he explains.

Then there would be different tools for different parts of each individual organisations environments or networks. You needed that sort of holistic view to look at for example the monitoring system used by company A, company B, company C, to get the big picture.

As things have evolved, youve still got that level of complexity plus the clouds that these organisations use.

While cloud is irrefutably here to stay, so for the time being at least is Covid-19. The pandemic has seen working practices change radically, which means even more headaches for security teams. Burtenshaw notes that the first thing to do is the boring stuff how is the company doing remote access and antivirus? How are we maintaining control of our workforce? but it is essential. Many security managers and officers that we work with are spending most of their time over the last few weeks approving quite difficult security control changes to enable that transition to happen, he says.

Speaking to Jeremy Snyder of DivvyCloud last week, he argued that, with the need for employees to do as much work as they can remotely, companies are good at making things happen but less good at cleaning up after themselves. Burtenshaw again cites complexity, but adds that there should be positives from this not least changing peoples attitudes to remote working long-term.

The good thing is were in a much stronger place than we would have been five years ago, he says. From a security perspective, there is a lot more data available that we can use to understand our security risks and threats in that changing model, and to understand where we need to remediate. For example, theres a lot more data about the security status of endpoints available through cloud services than there was five years ago.

Even if you do suddenly have 5000 people working remotely, you can find out how secure those devices are when theyre using them to work remotely, Burtenshaw adds. You do have a lot more information available about things that are outside of your traditional corporate network that you would have been concerned about five years ago.

Photo byElijah ODonnellonUnsplash

Interested in hearing industry leaders like Strata Security discuss subjects like this and sharing their experiences and use-cases? Attend theCyber Security & Cloud Expo World Serieswith upcoming events in Silicon Valley, London and Amsterdam to learn more.

Continued here:
Chris Burtenshaw, Strata Security: On cloud and IT complexity - and keeping off the front page - Cloud Tech