Securing data when it’s no longer in the centre
Feb 25, 2022
Editor's note: A version of this article originally appeared in Professional Security Magazine Online.
Language has a power all its own. Although the words we use to describe things change over time, those same words also slowly shape our thoughts and practises in surprising ways, long after the word’s introduction. In contrast, the rapid evolution of technology has resulted in an extreme change of the various terms used within business. Where they stick, it is not always for the right reasons. One good example is the term ‘datacentre’ – which is formed around the idea that data is centrally stored and protected in common with other data and systems. With the advent of digital transformation, such as the wide adoption of the cloud, the term as well as the mindset it created has to be corrected.
Since the cloud revolution began, we have watched the classic datacentre decline in prevalence and importance. With more and more applications and services being relocated to multiple cloud environments, data is no longer kept in this central relic of the past. The storage and security practices inherited from our thinking about these datacentres led us to think that all this data can be treated “en masse” if and when an organisation needs to access or protect it. This was the “walled garden” approach, where IT is able to put their hands on anything within the boundaries of a perimeter for protection, and the concept no longer exists in the age of the cloud.
However, the word still exists and is still used in everyday IT communication, and with its preservation, the associated walled garden approach is still often used to attempt to protect and provide access to this information. This behaviour creates a false sense of security when data and systems are in the cloud, and can lead to the failure of projects if the access path to the data is not adapted to cope with new environments.
The evolution of the cloud
The cloudification trend was influenced by another additional factor – the ongoing pandemic has acted as a catalyst accelerating this shift to the cloud, as many organisations are embracing this technology faster than before. Since working from the office became the exception, a huge number of organisations, within a variety of industries, have had to facilitate remote working for all members of staff, which resulted in a fast and massive change to earlier capabilities or plans. Apps and data were moved out of the centrally secured perimeters at an increased pace and with new criticality, but the terminology and the mindset remained.
Many businesses are undergoing large-scale transformations by embracing these digitisation trends and moving away from their datacentres, yet the security infrastructure is often held even when it’s become ineffective. Organisations continue to rely on their existing, datacentre-based technology stack to protect access to these revolutionary new cloud architectures and thus face various new challenges which prevent them from leveraging the full potential of their cloudification journey.
A combined infrastructure consisting of a multi-cloud set-up next to traditional datacentres is both incredibly complex and costly to manage, and is an architecture that simply does not make sense. In addition, a legacy security-orientated approach can be an obstacle to innovation as it forces data traffic through the same long routes they had to take before cloudification. Nevertheless, a lot of organisations still decide to run a traditional infrastructure alongside new innovative technologies until they gain complete confidence in the new, cloud-based possibilities. And sometimes this change never happens at all.
Although digital transformation itself is inevitable, the way enterprises approach change has a huge impact on how seamless the transition is. The advent of the cloud means that there is no longer a single place to put controls around data and in fact enterprises have to realise that they must assess threats, risk and what controls are available from scratch. Even if the cloud has a huge array of capabilities, there remains an ongoing uncertainty around how to implement security and access functions. The key element to successful cloud transformation is not only moving data to cloud environments, but to adapt wholeheartedly to the new, perimeter-free security architecture. It is imperative to achieve the same outcomes and protection of data for cloud environments by using means that are adapted to the new way of working more flexibly.
Regardless of where the users and the data are and which network they are using to access their applications and services, IT should keep control of the datastreams via a centralised enforcement plane that overlooks rules and access policies. This is fundamentally the beginning of a zero trust journey. Enterprises must consider this zero trust approach holistically, which will tackle the challenges of decentralised IT environments, mobile employees and diverse workloads at the same time.
The role of zero trust
Without zero trust, a known identity, be it an employee, a workload or a trusted device, is generally given access to an entire network, rather than the application they are working with. This puts both the network, and all of the other resident applications and devices at risk of being breached. Indeed, this has been a growing concern for organisations, particularly since employees were advised to work from home in early 2020. This approach is a legacy of that same datacentre mindset. As long as the user was inside the walls, they and the device they are using were automatically trusted. However, with the datacentre now only one of many places employees access, and the corporate network becoming a minority location to be coming from, organisations needed a system which would no longer grant individuals an assumption of trust when it comes to accessing the internet or applications within the corporate perimeter, and instead have to earn this trust based on identity and context.
That is where another age-old principle comes in — that of “least-privileged access” — which can be a mindset-change. Authenticating a user based on his access-privileges significantly enhances security and user-friendliness, and enforcing that access for every single transaction or connection increases this security exponentially. Ultimately, it means software-defined policies, rather than networks, securely connect the right user to the correct app or service. A single secure cloud platform sits between users and the internet, inspecting all traffic to the device. Zero trust replaces the conventional network security model and companies that have implemented it have started to recognise the importance of fast access to applications when it comes to employee satisfaction in IT, irrespective of how the applications are accessed.
The ongoing adoption of zero trust and the cloud are the key drivers for invalidating the term datacentre. By now, the majority of security professionals realise that embracing digital transformation will never be a straightforward process. However, the cloud enables companies to utilise innovative services which simultaneously mitigate risks and enhance security, agility, and efficiency at the same time. Going forward, we can expect these cloud environments and collaborative tools that organisations turned to in their time of immediate need to be maintained, if and when employees ever return to the office.
We will see how long the term datacentre will remain in the minds of those responsible for modern architectures. Maybe we should start looking for a new term.
What to read next