/// Industry Trends

Evolving patterns in consuming and managing digital content sources. Protect the data itself, share it safely with anyone.

DATA PROTECTION EVOLUTION

With the exponential growth of wireless connectivity and smart device access to public and private digital content sources, information security, corporate privacy and data encryption have recently moved up the corporate agenda. Information protection is consistently among the top 10 recent IT industry trends. Bluezone is the first in the world to offer a complete spectrum of products to protect your sensitive data by isolating it before it enters your IT network, covering a range of information access channels. Our engineering and support teams are committed to stay on top of the current technology trends, including cloud computing, smart device integration, financial transaction processing, information privacy and data security techniques.

CLOUD COMPUTING

CLOUD PHENOMENON

According to a 2012 Gartner research on cloud computing, the cloud is a technology discontinuity that, within the next 10 years, is likely to dramatically change IT organizational missions, structures, roles, skills and operations. One major benefit that cloud brings to organizations is capability on demand, with better and faster technology service delivery to reduce time-to-business.

Recent IDC cloud research shows that worldwide revenue from public IT cloud services exceeded $21.5 billion in 2010 and will reach $72.9 billion in 2015, representing a compound annual growth rate of 27.6%. This rapid growth rate is over four times the projected growth for the worldwide IT market as a whole (6.7%), with cloud phenomenon being a core ingredient of a large transformation of IT industry.

CLOUD DATA PROTECTION

According to a 2015 Forrester report on cloud data protection, many Software as a Service (SaaS) and Infrastructure as a Service (IaaS) providers offer built-in data encryption capabilities. However, the clients report that to be absolutely sure they can avoid a data breach, they need to have a third-party cloud data protection vendor with its own solution that offers key management, encryption and data governance.

While security and privacy concerns remain the biggest inhibitor to cloud adoption, the clients are driven by cost-efficiency and operational convenience of the cloud services yet legally mandated to protect data they collect, process and store.

Anyone embarking on a cloud implementation or integration in the near future is advised to consider:

  • Multi-cloud provider support capability
  • Dedicated security cloud service providers
  • More integrated behavioral event intelligence
  • Integration with enterprise rights management
  • Integration with identity and access management

CLOUD SECURITY

The results of a 2016 CSA cloud security survey indicate that 65% of respondents were confident that cloud had equal or greater security than internal IT systems. However, integrating and aligning security programs across a cloud provider and an enterprise is a challenge.

It is critical to understand that enterprises, particularly those from highly regulated industries, own the accountability for their security posture regardless of who actually manages it. Enterprises want a holistic view of this security posture to see cloud as an extension of their on-premise IT footprint. Enterprises and cloud providers need to agree to look beyond organizational boundaries to hold this common perspective.

Greater transparency is needed on the part of providers to assist enterprises in managing the myriad of security issues. From governance and compliance to operations, cloud providers have an obligation to lean towards greater disclosure, while preserving privacy obligations.

Cloud providers need to put a greater emphasis on cooperation with their competitors to create greater trust in the industry and to accelerate security solutions. The areas of cooperation and collaboration include:

  • Threat intelligence and incident sharing
  • Transparency that extends assurances to verifiable controls with strong integrity checks
  • Open interoperable standards development on common security requirements/controls
  • Support for multi-vendor enterprise architectures to assure interoperability and data portability

SECURE MULTI-TENANCY

While the bulk of enterprise software is still deployed on-premise, software as a service (SaaS) continues to undergo rapid growth. Gartner predicted the total market will top $22 billion through 2015, up from more than $14 billion in 2012. The SaaS market will likely see significant changes and new trends in 2014 as vendors jockey for competitive position and customers continue shifting their IT strategies toward the cloud deployment model.

SaaS vendors have long touted the benefits of multi-tenancy, a software architecture where many customers share a single platform or application environment, with their information kept separate. Multi-tenancy has recently demonstrated a shift away from its original definition, where service providers offer an option for their medium to large size clients to allow them have their own dedicated hardware or segregated virtual stack. This opens up more opportunities for such clients and their partners to provide much higher level of information security and easier roadmap to regulatory compliance.

BARE-METAL CLOUD

According to a 2015 Forrester report on bare-metal as a viable cloud option, such type of cloud is a strong candidate for high-performance workload scenarios, eliminating the latencies associated with virtual machines and their virtualized network and I/O operations. Despite the continued freefall in VM-based cloud pricing, bare-metal clouds are cheaper on a per-workload basis for environments where the virtual machines are large and constantly heavily loaded.

With transaction scenarios that require stringent time windows and other high-volume and latency-sensitive workloads, the business value is directly proportional to the available number of compute cycles within the window, and bare-metal clouds offer a powerful alternative platform. A bare-metal cloud offering allows you to flexibly provision dedicated physical servers with cloud semantics without any overhead from virtualization software, and may fit well as better option to your overall service ecosystem.

Benefits of bare-metal cloud include:

  • Deterministic performance
  • Extremely low latency
  • Network data locality
  • Operational density economics
  • Simplified system administration

HYBRID CLOUD MODEL

According to a 2016 IDC study, hybrid cloud is becoming the dominant computing paradigm and will remain so in the coming decade. This means that most organizations are adopting cloud for fast on-demand compute deployment at lower cost, while retaining certain workloads on premises.

It is projected that in the next few years, more than 65% of enterprise IT organizations will launch a hybrid cloud that includes various public cloud services, as well as private cloud or non-cloud infrastructure. In the same period, more than 60% of enterprises are expected to start using at least 10 different public cloud services in SaaS, PaaS and IaaS categories.

A growing number of cloud systems management solutions are helping IT configure, provision and monitor cloud infrastructure, workloads and applications. What is less understood is how to ensure availability and data protection for mission-critical workloads across a hybrid mix of on-premises and third-party cloud environments.

Reduced downtime, guaranteed application availability, and strong data protection are as vitally important in a hybrid cloud as they are in any other deployment model.The following activities are advised to be carried out by cloud service providers:

  • Identifying the weak links in a hybrid cloud
  • Ensuring that services and applications remain healthy and available
  • Viewing the data in a hybrid cloud as a unified whole, and protecting and managing the data accordingly
  • Orchestrating and automating disaster recovery without impacting production environments

DATA SECURITY

DATA-CENTRIC SECURITY

According to a 2012 Forrester research, cyber criminals have become more skillful and sophisticated, as they have eroded the effectiveness of traditional perimeter-based security controls. The constantly mutating threat landscape requires new defensive measures, one of which is the pervasive use of data encryption and tokenization technologies.

The sensitive data strongly recommended to be encrypted, or otherwise protected both in transit and while at rest. This data-centric approach to security is a much more effective way to keep up with determined cyber criminals. By encrypting or tokenizing, and thereby devaluing your sensitive data, you can make hackers bypass your networks and look for less robustly protected targets.

There are two types of data: data someone wants to steal and everything else. Most security professionals today do not understand the motivations behind data theft; they put controls in place that protect the data that is most valuable to them, as opposed to criminals. The answer is simple: if they can’t sell it, they won’t steal It.

DATA TOKENIZATION

As indicated in a 2015 Forrester report on the importance of data tokenization in securing the payment chain, 50-year old magnetic stripe and 20-year old smart chip technologies are no longer sufficient to secure mobile payments in the hostile world of e-commerce. Security and risk professionals who protect the payment chain (cardholders, merchants, acquirers, processors and issuers) need new methods to defend mobile payments and customer data.

With lower personalization and delivery costs to issuers, transactions on digital wallets, mobile device based NFC virtual cards, and other types of EMV contactless payments are continually proving strong competitors to plastic. At the time when breach costs are skyrocketing, new encryption and tokenization technologies are emerging to close the gap and address the risks of potential fraud and abuse.

BREACH PREVENTION

A recent Forrester cyber security brief has indicated that on a landscape of detection, prevention and response, it is expected that 2016 will mark the shift to preventive measures. Targeted attacks continue to plague organizations, and these intrusions damage corporate brand and customer loyalty. Short staffed, under budgeted, and lacking internal discipline to address risks related to toxic data, public and private sectors will continue to suffer breaches.

Are breaches inevitable? Perhaps, yes: many government agencies and data processing companies have huge stores of private, very sensitive data – data that is too valuable on the black market for cyber criminals of all stripes to ignore. Security investments based just on a checklist of technology required to meet compliance fails to address the underlying vulnerabilities. A more comprehensive approach is needed to replace perimeter-centric defense and minimal security checklist, such as “zero trust” model in data protection. Organizations are advised to invest in new varieties of data breach prevention tools, those that effectively identify and protect the sensitive records well in advance of attack.

ZERO-TRUST MODEL

According to a 2014 Forrester research on the effectiveness of data protection methods, a generation of information security professionals have been endorsing a paradigm to throw a wealth of security controls on guarding the network perimeter, while promoting the convenience of open access to resources on the internal network.

On today’s new threat landscape, this is no longer an effective way of enforcing security. Once an attacker gets past the secure zone boundary, he has access to all the resources on the so called “trusted network.” We’ve built strong perimeters, but well-organized cyber criminals have recruited insiders and developed new attack methods.

To help security professionals address the risk, a new approach to information security has emerged, a “zero trust” model. In a true “zero trust” environment, all network traffic is untrusted. Thus, security measures must verify and secure all resources, limit and strictly enforce role-based access control, and inspect and log all network activity relevant to resource viewing and management.

ENDPOINT ENCRYPTION

According to a 2015 Forrester report on the endpoint encryption, the respective market is growing with more security and risk professionals seeing full disk, file-level
and media encryption as ways to protect against device loss and possible fallout of non-compliance.

Employees access corporate data at home, at work, and everywhere in between. An explosion of consumer devices and services has fueled on-the-go computing and a blurring of work and personal lives. Common data types considered at most risk are: customer data, employee data, company confidential data and intellectual property. in the meantime, government and industry oversight bodies issue industry-specific regulations in an attempt to protect digital assets.

When you encrypt your endpoint data and properly protect the keys, a captured endpoint is essentially useless to malicious individuals.

INTEGRATED PLATFORMS

According to a 2015 Forrester study, 98% of decision makers recognize that cloud-delivered integrated security platforms can offer better security functionality than point solutions. Information security executives need to look at their security tools in a new light, focusing on integrating these tools, or replacing them with an integrated security platform delivered from a flexible cloud infrastructure.

Nowadays, companies face the threats that require functionality such as automated machine learning, crowd-shared threat intelligence, integration between security products, and strong encryption and tokenization technologies. Among 14 different cyber protection categories, data security ranked as the most important feature that would drive the purchase of an integrated security platform. Cloud delivery of such platform provides big opportunities for companies to reduce complexity and costs, while improving their security posture.

The resulting needs of security professionals are loud and clear: simple and powerful ways to protect data and employees everywhere, without the proliferation of point solution appliances. These are the catalysts for adopting an integrated, cloud-based approach to security, which delivers a complete stack of functions to address cyber threat.

INFORMATION PRIVACY

PRIVACY REGULATIONS

Forrester has recently done an in-depth analysis on the privacy laws in 54 countries around the world, and concluded that many of them are undergoing shifts in their privacy legislation, with a trend towards adoption of much more stringent standards and controlled audit processes. Such trend is driven by most consumers willing to share their data in exchange for value, yet raising their concerns about the spread of their individual identity information.

Organization need to think differently about the data they collect. Corporate privacy policies must be aligned with data governance practices, and must be written in such a way that customers are crystal clear about what is being collected and why. Companies should consider providing customer granular preferences for what is intended to be stored and how it will be used, instead of making these types of options an all-or-nothing proposition.

DATA TOKENIZATION

According to 2015 Forrester recommendations for enterprise security programs, it is all about the customer, and it has always been. Senior business leaders are not interested in esoteric discussions about the demise of perimeter security but are eager to entertain solutions addressing customers’ increasing concerns regarding privacy, fraud and cyber security.

The #1 recommendation is earning and retaining customer trust via focusing on privacy, which remains of paramount importance. Customer data used correctly provides essential insights into customer behaviors and preferences, influencing future product and service strategies. This data represents huge economic value that needs protection, and is a critical component of any sustainable and secure customer service model. Retaining customers may ultimately come down to how well you protected their data.

There is growing consensus that data privacy is a significant issue, and a potential product and service differentiator for many markets and industries. Being in compliance with FISMA, HIPAA, PCI or SOX isn’t enough to protect your critical corporate data, intellectual property, or internal communication from hackers or countries that mean to do you harm. The trend of extending customer data into the cloud is constantly suggesting to make encryption a centerpiece of cloud security.

Encrypting toxic data as it moves to the cloud, or is stored in the cloud, will effectively make it difficult or impossible for criminals to monetize, and keep the information outside the scope of most data breach laws and regulations. This effectively means that you need to:

  • Encrypt data before it goes to a SaaS application
  • Encrypt data in IaaS and PaaS workloads
  • Centralize and automate IaaS security configuration

PRIVATE DATA MOBILITY

According to technology trend predictions from US wireless carrier Verizon, the prolific nature of cyber spying and malware attacks will force corporations to increase cyber security related budgets beyond 2014, as well as rethink traditional approaches to security management. As enterprises continue to adopt mobile devices, bring-your-own-device (BYOD) policies, big data and cloud solutions, both in-house and third-party security solutions are predicted to rise. The enterprise will develop and execute hybrid cyber-security management models that combine capabilities such as identity management, security analytics and cyber intelligence with governance, risk and compliance.

Based on the recent research conducted by IDC, less than 10% of the market had actively embraced BYOD, with the remaining 90% either deciding not to allow staff to go ahead or still evaluating their options, predominantly due to the cyber security risks. In view of that, a new trend is expected to emerge: eligible users will be given a choice of devices that they can use for work, also referred to as the choose-your-own-device (CYOD) model. Those organizations evaluating mobility strategically will look to CYOD as the main adoption model where management, security and privacy can be standardized and guaranteed, and at the same time, business processes can be mobilized.

PRIVACY RESPONSIBILITY

According to a 2014 Forrester brief on the state of data security and privacy, both remain among the top success factors on executive strategies around revenue growth. Privacy responsibility will be falling more onto the security group within enterprises, which is not entirely surprising given the amount of public attention and debate that privacy receives today.

Data is the intellectual property and also your customers’ payment card information (PCI), personal health information (PHI), and personally identifiable information (PII). Privacy abuses and intentional or accidental breaches of sensitive customer data undermine the trust relationship between your enterprise and its customers. If your customers don’t trust you to rigorously protect and genuinely respect their sensitive data, they’ll take their business elsewhere.

This re-ignition of privacy rights, together with increasing cyber attacks and the ongoing de-perimeterization of the digital enterprise, has forced security and risk professionals to move more and more protections closer to the data itself. Firms will increasingly set their sights on key management and pervasive encryption for protection that renders data unreadable to would-be cyber criminals. The need to secure data in the cloud and wariness over intelligence agency, government and cloud provider access to the data, is fueling greater interest in encryption,

Consumers will continue to engage on social channels but it doesn’t mean they’re ambivalent when it comes to privacy. In fact, the vast majority of consumers are skeptical of how their social data is used even when the information that’s accessed is public. Companies need to be open about data initiatives and explain in public communications how and why they use consumer data, as well as the measures they take to actively protect it – and ensure that what is communicated is actually done!