Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Security Than On-Premises
1. Cloud Security Crosses the Chasm, How IT Now Goes to the
Cloud for Better Security Than On-Premises
Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can
begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Dana Gardner: Hello, and welcome to the next edition to the Hewlett Packard Enterprise
(HPE) Voice of the Customer podcast series. I’m Dana Gardner, Principal Analyst at Interarbor
Solutions, your host and moderator for this ongoing discussion on IT
Innovation -- and how it's making an impact on people's lives.
Our next security innovation and transformation panel discussion explores
how cloud security is rapidly advancing and how enterprises can begin to
innovate and prevail over digital disruption by increasingly using cloud-
defined security.
We'll hear how a secure content collaboration company is removing the
notion of boundaries, so that businesses can extend further and safer, and we'll hear where the
cloud-security potential is headed for more transformative benefits.
Critical Security
And Compliance Considerations
For Hybrid Cloud Deployments
To share how security technology leads to many new business innovations, we're joined by
Daren Glenister, Chief Technology Officer at Intralinks in Houston. Thank you for being here,
Daren.
Daren Glenister: Thanks, Dana. I appreciate the opportunity.
Gardner: We're also here with Chris Steffen, Chief Evangelist for Cloud Security at HPE.
Welcome, Chris.
Chris Steffen: Hi, Dana. Thanks for having me.
Gardner: Let’s start with you Daren. What are the top three trends
that are driving your need to extend security and preserve trust with your
customers?
Glenister: The top thing for us is speed of business, people being able to do business beyond
boundaries, and how can they enable the business rather than just protect it. In the past, security
Page 1
Gardner
2. has always been how we shut things down and stop data, but now, it's how we do it securely and
how we perform business outside of the organization. So, it's enabling business.
The second thing we've seen is compliance. Compliance is a huge issue for most of the major
corporations. You have to be able to understand where the data is and who has access to it, and to
know who's using it and make sure that they can be completely compliant.
The third thing is primarily around the shift between security inside and outside of the
organization. It's been a fundamental shift for us, and we've see that security is moved from
people's trust in their own moved infrastructure, versus using a third party who can provide that
security and have a far higher standard, because that’s what they do whole day, every day. That
security shift from on-premise to the cloud is a third big driver for us, and we've seen that in the
market.
Gardner: You seem to be in a unique position to be able to comment on this. Tell us about
Intralinks, what the company does, and why security at the edge is part of your core competency.
Secure collaboration
Glenister: We're a software-as-a-service (SaaS) provider and we provide secure collaboration
for data, wherever that data is, whether it’s inside a corporation or it’s shared outside. Typically,
once people share data outside, whether it’s through e-mail or any other method,
some of the commercial tools out there have lost control of that data.
We have the ability to actually lock that data down, control that, and put the
governance and the compliance around that to secure that data, know where the
high value intellectual property (IP) is, who has access to it, and then be able to
even share as well, and, if you’re in a situation of losing data, revoke access to
someone who has left the organization.
Gardner: And these are industries that have security as a paramount concern. So,
we’re talking about finance and insurance. Give us a little bit more indication of the type of data
we’re talking about.
Glenister: It's anybody with high value IP or compliance requirements -- banking, finance,
healthcare, life sciences for example, and manufacturing. Even when you’re looking at
manufacturing overseas and you have IP going over to China to manufacture your product, your
plans are also being shared overseas. We've seen a lot of companies now asking how to protect
those plans and therefore, protect IP.
Gardner: Chris, Intralinks seems to have been ahead of the curve, recognizing how cloud can be
an enabler for security, but we’re starting to see a shift in the market, at least I certainly am. In
the last six months or so, companies that were saying that maybe security is a reason not to go to
Page 2
Glenister
3. the cloud are now saying that security is a reason they're going to the cloud. They can do security
better. What's happened in six months that made that flip?
Steffen: I don't know exactly what’s happened, but you're absolutely right; that flip is going on.
We've done a lot of research recently and shown that when you’re looking at inherent barriers
going to a cloud solution, security and compliance considerations are always right
there at the top. We commissioned the study through 451 Research, and we kind
of knew that’s what was going on, but they sure nailed it down, one and two,
security and compliance, right there.
The reality, though, is that that the C table, executives, IT managers, those types,
are starting to look at the massive burden of security and hoping to find help
somewhere. They can look at a provider like Intralinks, they can look at a
provider like HPE and ask, "How can they help us meet our security
requirements?"
They can’t just third-party their security requirements away. That’s not going to cut it with all the
regulators that are out there, but we have solutions. HPE has a solution, Intralinks has solutions,
a lot of third-party providers have solutions that will help the customer address some of those
concerns, so those guys can actually sleep at night.
Gardner: We're hearing so much about digital disruption in so many industries, and we're
hearing about why I can’t wait, I need to be agile and have a change in my business model to
appeal to my customers to improve their user experience.
It seems that security concerns have been a governor on that. "We can’t do this because 'blank'
security issue arises." It seems to me that it's a huge benefit when you can come to them and say,
"We're going to allow you to be agile. We're going to allow you to fight back against disruption
because security can, in fact, be managed." How far we are along the lines of really converting
this notion of disruption in security into an enabler when you go to the cloud?
Very difficult
Glenister: The biggest thing for most organizations is they're large, and it’s very difficult to
transform just the legacy systems and processes that are in places. It's very difficult for
organizations to change quickly. To actually drive that, they have to look at alternatives, and
that’s why a lot of people move into the cloud. Driving the move to the cloud is, "Can we quickly
enable the business? Can we quickly provide those solutions, rather than having to spend 18
months trying to change our process and spend millions of dollars doing it?"
Enablement of the business is actually driving the need to go to the cloud and obviously will
drive security around that. To Chris’ point a few minutes ago, not all vendors are the same. Some
vendors are in the cloud and they're not as secure as others. People are looking for trusted
partners like HPE and Intralinks and are putting their trust and their crown jewels, in effect, with
Page 3
Steffen
4. us because of the security. That’s why we work with HPE, because they have a similar
philosophy around security as we do, and that’s important.
Steffen: The only thing I would add to that is that security is not only a concern of the big
business or the small business; it’s everybody’s concern. It’s one of those things where you need
to find a trusted provider. You need to find that provider that will not only understand the
requirements that you're looking for, but the requirements that you have.
This is my opinion, but when you're kicking tires and looking at your overall compliance
infrastructure, there's a pretty good chance you had to have that compliance for more than a day
or two. It’s something that has been iterative; it may change, it may grow, whatever.
So, when you're looking at a partner, a lot of different providers will start to at least try to ensure
that you don’t start at square one again. You don’t want to migrate to a cloud solution and then
have all the compliance work that you’ve done previously just wiped away. You want a partner
that will map those controls and that really understands those controls.
Perfect examples are in the financial services industry. There are 10 or 11 regulatory bodies that
some of the biggest banks in the world all have to be compliant with. It’s extremely complicated.
You can’t really expect that Big Bank 123 is going to just throw away all that effort, move to
whatever provider, and hope for the best. Obviously, they can’t be that way. So the key is to take
a map of those controls, understand those controls, then map those controls to your new
environment.
Gardner: Let’s get into a little bit of the how, how this happens. What is it that we can do with
security technology, with methodologies, with organization that allows us to go into cloud,
remove this notion of a boundary around your organization and do it securely? What’s the secret
sauce, Daren?
Glenister: One of the things for us, being a cloud vendor, is that we can protect data outside. We
have the ability to actually embed the security into documents wherever documents go. Instead
of just having the control of data at rest within the organization, we have the ability to actually
control it in motion inside and outside the perimeter.
You have the ability to control that data, and if you think about sharing with third parties, quite
often people say, "We can’t share with a third-party because we don’t have compliance, we don’t
have a security around it." Now, they can share, they can guarantee that the information is secure
and at rest, and in motion.
Typically, if you look at most organizations, they have at-rest data covered. Those systems and
procedures are relative child’s play. But that’s been covered for many years. The challenge is that
it's in motion. How do you actually extend working with third parties and working with outside
organizations?
Page 4
5. Innovative activities
Gardner: It strikes me that we're looking at these capabilities through the lens of security, but
isn’t it also the case that this enables entirely new innovative activities. When you can control
your data, when you can extend where it goes, for how long, to certain people, under certain
circumstances, we're applying policies, bringing intelligence to a document, to a piece of data,
not just securing it but getting control over it and extending its usefulness. So why would
companies not recognize that security first brings larger business benefits that extend for years?
Glenister: Historically, security has always been, "No, you can’t do this, let’s stop." If you look
in a finance environment, it’s stop using thumb drives, stop using emails, stop using anything
rather than ease of solution. We've seen a transition. Over the last six months, you're starting to
see a transition where people are saying, "How do we enable? How do we get people to control
them?' As a result of that, you see new solutions coming out from organizations and how they
can impact the bottom line.
Gardner: So, it's behavior modifications that was always a big part of technology adoption.
Chris, what is it that we can do in the industry to show people that being secure and extending
the security to wherever the data is going to go or be gives us much more opportunity for
innovation? To me this is a huge carrot that I don’t think people have perhaps fully grokked.
Critical Security
And Compliance Considerations
For Hybrid Cloud Deployments
Steffen: Absolutely. And the reality of it is that it’s an educational process. One of the things that
I've been doing for quite some time now is trying to educate people. I can talk with a fellow
CISSP and we can talk about Diffie-Hellman encryption and I promise that your CEO does not
care, and he shouldn’t. He shouldn’t ever have to care. That’s not something that he needs to care
about, but he does need to understand total cost of ownership (TCO), he needs to understand
return on investment (ROI). He needs to be able to go to bed at night understanding that his
company is going to be okay when he wakes up in the morning and that his company is secure.
It’s an iterative process; it’s something that they have to understand. What is cloud security?
What does it mean to have defense in depth? What does it mean to have a matured security
policy vision? Those are things that really change the attitudinal barriers that you have at a C
table that you then have to get past.
Security practitioners, those tinfoil hat types -- I classify myself as one of those people too --
truly believe that they understand how data security works and how the cloud can be secured,
Page 5
6. and they already sleep well at night. Unfortunately, they're not the ones who are writing the
checks.
It's really about shifting that paradigm of education from the practitioner level, where they get it,
up to the CIO, the CISO who hopefully understands, and then up to the C table and the CFO
making certain that they can understand and write that check to ensure that going to a cloud
solution will allow them to sleep at night and allow the company to innovate. They'll take any
security as an enabler to move the business forward.
Gardner: So, perhaps it’s incumbent upon IT and security personnel to start to evangelize inside
their companies as to the business benefits of extended security, rather than the glass is always
half empty.
Steffen: I couldn’t agree more. It’s a unique situation. Having your -- again, I'll use the term --
tinfoil hat people talking to your C table about security -- they're big and scary, and so on. But
the reality of it is that it really is critically important that they do understand the value that
security brings to an organization.
Going back to our original conversations, in the last 6 to 12 months, you're starting to see that
paradigm shifted a little bit, where C table executives aren’t satisfied with check-box compliance.
They want to understand what it takes to be secure, and so they have experts in house and they
want to understand that. If they don’t have experts in house, there are third-party partners out
there that can provide that amount of education.
Gardner: I think it’s important for us to establish that the more secure and expert you are at
security the more of a differentiator you have against your competition. You're going to clean up
in your market if you can do it better than they can.
Step back
Steffen: Absolutely, and even bring that a step further back. People have been talking for two
decades now about technology as a differentiator and how you can make a technical decision or
embrace and exploit technology to be the differentiator in your vertical, in your segment, so on.
The credit reporting agency that I worked for a long time ago was one of those innovators, and
people thought we were nuts for doing some of the stuff that we are doing. Years later, everybody
is doing the same thing now.
It really can set up those things. Security is that new frontier. If you can prove that you're more
secure than the next guy, that your customer data is more secured than the next guy, and that
you're willing to protect your customers more than the next guy, maybe it’s not something you
put on a billboard, but people know.
Page 6
7. Would you go to retailer A because they have had a credit card breach or do you decide to go
retailer B? It's not a straw man. Talk to Target, talk to Home Depot, talk to some of these big big-
box stores that have had breaches and ask how their numbers looked after they had to announce
that they had a breach.
Gardner: Daren, let’s go to some examples. Maybe you can think of an example of IntraLinks,
and I know you can’t always name names, of a security capability that became a business
differentiator or enabler.
Glenister: Think about banks at the moment, where they're working with customers. There's a
drive for security. Security people have always known about security and how they can enable
and protect the business.
But what’s happening is that the customers are now more demanding because the media is
blowing up all of the cyber crimes, threats, and hacks. The consumer is now saying they need
their data to be protected.
A perfect example is my daughter, who was applying for a credit card recently. She's going off to
college. They asked her to send a copy of her passport, Social Security card, and driver’s license
to them by email? She looked at me and said, "What do you think? It's like, "No. Why would
you?"
People have actually voted, saying they're not going to do business with that organization. If you
look in the finance organizations now, banks and the credit-card companies are now looking at
how to engage with the customer and show that they have been securing and protecting their data
to enable new capabilities like loan or credit-card applications and protecting the customer’s
data, because customers can vote with their feet and choose not to do business with you.
So, it’s become a business enabler to say we're protecting your data and we have your concerns
at heart.
Gardner: And it’s not to say that that information shouldn’t be made available to a credit card or
an agency that’s ascertaining credit, but you certainly wouldn’t do it through email.
Insecure tool
Glenister: Absolutely, because email is the biggest sharing tool on the planet, but it’s also one
of the most insecure tools on the planet. So, why would you trust your data to it?
Steffen: We've talked about security awareness, the security awareness culture, and security
awareness programs. If you have a vendor management program and you’re subject to a vendor
management from some other entity, one of the things they also would request is that you have a
security awareness program?
Page 7
8. Even five to seven years ago, people looked at that as drudgery. It was the same thing as all the
other nonsensical HR training that you have to look at. Maybe, to some extent, it still is, but the
reality is that when I've given those programs before, people are actually excited. It's not only
because you get the opportunity to understand security from a business perspective, but a good
security professional will then apply that to, "By the way, your email is not secured here, but
your email is not secured at home too. Don’t be stupid here, but don’t be stupid there either."
We're going to fix the router passwords. You don’t need to worry about that, but you have a home
router, change the default password. Those sounds like very simple straightforward things, but
when you share that with your employees and you build that culture, not only do you have more
secure employees, but then the culture of your business and the culture of security changes.
In effect, what’s happening is that you'll finally be getting to see that translate into stuff going on
outside of corporate America. People are expecting to have information security parameters
around the businesses that they do business with. Whether it's from the big-box store, to the
banks, to the hospitals, to everybody, it really is starting to translate.
Glenister: Security is a culture. I look at a lot of companies for whom we do once-a-year
certification or attestation, an online test. People click through it, and some may have a test at the
end and they answer the questions and that’s it, they're done. It's nice, but it’s got to be a year-
round, day-to-day culture with every organization understanding the implications of security and
the risk associated with that.
If you don’t do that, if you don’t embed that culture, then it becomes a one-time entity and your
security is secure once a year.
Steffen: We were talking about this before we started. I'm a firm believer in security awareness.
One of the things that I've always done is take advantage of these pretend Hallmark holidays.
The latest one was Star Wars Day. Nearly everybody has seen Star Wars or certainly heard of
Star Wars at some point or another, and you can’t even go into a store these days without hearing
about it.
For Star Wars Day, I created a blog to talk about how information-security failures let to the
downfall of the Galactic Empire.
It was a fun blog. It wasn't supposed to be deadly serious, but the kicker is that we talked about
key information security points. You use that holiday to get people engaged with what's going on
and educate them on some key concepts of information security and accidentally, they're
learning. That learning then comes to the next blog that you do, and maybe they pay a little bit
more attention to it. Maybe they pay attention to simply piggybacking through the door and
maybe they pay attention to not putting something in an e-mail and so on.
It's still a little iterative thing; it’s not going to happen overnight. It sounds silly talking about
information security failures in Star Wars, but those are the kind of things that engage people and
make people understand more about information security topics.
Page 8
9. Looking to the future
Gardner: Before sign off, let’s put on our little tinfoil hat with a crystal ball in front. If we've
flipped in the last six months or so, people see the cloud as inherently more secure, and they want
to partner with their cloud provider to do security better, let’s go out a year or two, how
impactful well this flip be? What are the implications when we think about this and we take into
consideration what it really means when people think the cloud is the way to go and be secure as
a company doing anything on the internet?
Steffen: The one that immediately comes to mind for me -- Intralinks is actually starting to do
some of this -- you're going to see niche cloud. Here's what I mean by niche cloud. Let’s just take
some random regulatory body that's applicable to a certain segment of business. Maybe they
can’t go to a general public cloud because they're regulated in a way that it's not really possible.
What you're going to see is a cloud service that basically says, "We get it, we love your type, and
we're going to create a cloud. Maybe it will cost you a little bit more to do it, but we understand
from a compliance perspective the hell that you are going through. We want to help you, and our
cloud is designed specifically to address your concerns."
When you have niche cloud, all of a sudden, it opens up your biggest inherent barriers. We’ve
already talked about security. Compliance is another one, and compliance is a big fat ugly one.
So, if you have a cloud provider that’s willing to maybe even assume some of the liability that
comes with moving to their cloud, they're the winners. So let’s talk 24 months from now. I'm
telling you that that’s going to be happening.
Gardner: All right, we'll check back on that. Daren, your prediction?
Glenister: You are going to see a shift that we're already seeing, and Chris will probably see this
as well. It's a shift from discussions around security to transformation. You definitely see security
now transforming business, enabling businesses to do things and interact with their customs in
ways they've never done before.
You'll see that impacting two ways. One is going to be new business opportunities, so revenue
coming in, but it’s also going to be streamlined in the internal processes, so making things easier
to do internally. And you'll see a transformation of the business inside and outside. That’s going
to drive a lot of new opportunities and new capabilities and innovations we've seen before.
Gardner: Very good. I'm afraid we will have to leave it there. We've been discussing how cloud
security is rapidly advancing and how enterprises can begin to innovate to prevail over digital
disruption by increasingly using cloud-defined security.
And we’ve seen how a secure content-collaboration company, Intralinks, is removing a notion of
boundaries so businesses can extend further and safer, and in fact, it enables entirely new
business activities.
Page 9
10. So, please join me in thanking our panel, we have been here with Daren Glenister, the Chief
Technology Officer at Intralinks. Thank you, Daren.
Glenister: Thanks. I appreciate it, Dana, and it’s been good talking with you and with Chris.
Gardner: And we've been here with Chris Steffen, a Chief Evangelist for Cloud Security at
HPE. Thanks, Chris.
Critical Security
And Compliance Considerations
For Hybrid Cloud Deployments
Steffen: Thanks, Dana. It’s been a great conversation.
Gardner: And I'd like to thank our audience as well for joining us for this Hewlett-Packard
Enterprise, Voice of the Customer Security Transformation Discussion.
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this
ongoing series of HPE-sponsored discussions. Thanks again for listening, and do come back next
time.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can
begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.
You may also be interested in:
• How Software-defined Storage Translates into Just-In-Time Data Center Scaling
• Big data enables top user experiences and extreme personalization for Intuit TurboTax
• Feedback loops: The confluence of DevOps and big data
• Spirent leverages big data to keep user experience quality a winning factor for telcos
• Powerful reporting from YP's data warehouse helps SMBs deliver the best ad campaigns
• IoT brings on development demands that DevOps manages best, say experts
• Big data generates new insights into what’s happening in the world's tropical ecosystems
• DevOps and security, a match made in heaven
• How Sprint employs orchestration and automation to bring IT into DevOps readiness
• How fast analytics changes the game and expands the market for big data value
• How HTC centralizes storage management to gain visibility and IT disaster avoidance
• Big data, risk, and predictive analysis drive use of cloud-based ITSM, says panel
• Rolta AdvizeX experts on hastening big data analytics in healthcare and retail
• The future of business intelligence as a service with GoodData and HP Vertica
Page 10