Here at OpenDNS, we believe our approach to security is uniquely positioned to “work with the way the world works today”.
We’re located in San Francisco and surrounded by some awesome cutting-edge tech companies. Our CEO has excellent relationships with many of them, who currently use our technology and provide us with insights on their own security stance and how we can best support that.
In our day-to-day discussions about strategy, I’ve started using the term “the Enterprise of the Future” to represent this target customer segment. To me, this means organizations that fit the following profile:
- They are aggressively leveraging cloud applications to gain a competitive advantage, so most or all of their data is in the cloud.
- They use a mix of the latest types of devices (many are primarily Mac shops).
- Their workforce is highly mobile and/or distributed.
These companies have had the luxury of building their IT organization at a time when fantastic new cloud-based technologies are available for them to leverage. They are unencumbered by the need to protect crown jewels (data) behind castle walls (traditional enterprise network perimeters) and as such are able to take a different approach to security.
Let’s call these types of organizations “startups” for the remainder of this article, even if they’ve been around long enough to make it a misnomer.
In contrast, your organization has likely been around longer and/or built up a lot of infrastructure necessary for your business to function and deliver your services. It’s probably challenging for you to adopt this new technology and secure it, but getting a window into how these startups are approaching security could help you look towards your own future and flesh out a strategy to get there.
So without further ado, here are five trends I’ve observed after speaking to a number of these types of organizations:
1) They take a “light touch” approach to security
The spirit of this approach is really about creating a partnership between you and your end-users that empowers them to keep themselves safe without punishing them; i.e. by making it difficult to do their jobs or slowing them down while they try to work efficiently.
What this practically means to our startups is:
- No requirement to VPN when outside the protected corporate network.
- No heavyweight endpoint software pegging the CPU or hogging memory while attempting to do a multitude of security tasks directly on the device that often impede users from working at their desired pace.
- No heavyweight proxy-based Web security solutions that can break the end-user Internet experience and requires all traffic to be funneled through a single bottleneck even though 99% of traffic will not be blocked.
Often, this also means local admin access privileges (gasp!), which can actually make sense given the next point…
2) The device is expendable; it’s the data & login credentials that need to be protected
It’s a common stance within these startups that laptops and mobile devices are just another insecure footprint that are used to connect to the Internet. This is increasingly true thanks to the trend of BYOD (“Bring Your Own Device”) in most organizations.
What this means to our startups is that:
- All data is located within the chosen cloud services, which negates the need for backups and (to some extent) file/folder encryption.
- If an incident does occur, it’s faster and easier to wipe the device and re-load a standard image, instead of spending time trying to restore and fix compromised devices.
The savings from this approach help these startups focus their resources on incident response, which is the next point to cover…
3) They are aggressively building out their incident response teams, systems, and data
Even if these startups have small IT teams, they are investing in and focusing on building out their incident response capabilities. This is something that is often put on the backburner for organizations that choose to primarily invest in prevention. Our startups, however, are able to build out their incident response more effectively because the number of incidents they’re generating in their environment is lower than your typical tightly-controlled Windows-based IT environments.
4) Federated identity management for cloud app control is key
In an environment of expendable devices and no local data to protect, identity establishment and management continues to be hugely important in these startups’ IT organizations.
Cloud application identity (often referred to as IDaaS or “Identity as a Service”) vendors like Okta, OneLogin, and Symplified are offering better ways to perform all-important identity management for cloud applications. Increasingly, this is without the use of Active Directory as the backend Directory Service. That said, Microsoft and other big names like SalesForce, Amazon, and Google are attempting to close the gap and marginalize these new challengers.
Our startups are demanding their vendors (security and otherwise) support SAML-based integrations so they can authorize users and log and control access through a single set of credentials — ideally, through a single, familiar user experience.
This approach delivers huge security benefits in that end-users no longer need to manage multiple passwords for their most-used cloud applications (the lists of seamlessly integrated cloud applications these IDaaS providers support is constantly growing). Also, administrators can shut out compromised accounts or terminated employees from accessing all of their cloud applications with a single mouse click.
5) They focus on tightly integrating their data and services to get more out of their investments
The above example of demanding SAML is a good example of this, though it goes much farther than that for our startups. In the eyes of our startups, extracting threat intelligence out of some systems and injecting it into others is paramount for providing the sort of correlated event data that enables effective incident response.
As such, our startups are aggressively preferring vendors who are opening up their systems via canned integrations or APIs. They are demanding to get more out of their purchase than only what that vendor specializes in. At OpenDNS, we’re embracing this approach as we believe that our customers should control how best to leverage their investments and get the most out of the products they’ve purchased.
So what can I take away from these 5 observations?
Many of us today aren’t in the enviable position to rapidly incorporate all of the progressive approaches these startups are taking around security. That said, I don’t think it’s a very big leap to say they are giving us a glimpse into what will eventually be the norm.
You may find yourself resisting on some or all of the above points in terms of your own IT/security strategy. If so, you may want to step back and be honest with yourself about how much your hand will be forced in the coming months and years.
Practically, you might begin by considering some of the following suggestions:
- Develop a realistic BYOD strategy. A simple Google search uncovers lots of advice on how to do this.
- Figure out the cost/benefit of your current Web security investments. Do this by trying out our TCO calculator.
- Focus your next IT hire around incident response. Make sure they have some programming skills so they can work with vendor APIs.
At OpenDNS, we’re continuing to learn from these startups as well as organizations like yours, who are in the process of transitioning from more traditional legacy IT environments to a world of clouds and mobility.
It’s a Herculean task and you’re the heroes, but with the right tools and a solid strategy it can be done. Best of luck, and don’t forget to give Umbrella a try via our free trial to see the future of Internet security today!