On June 12, several thousand IT and business leaders, along with security vendors from hundreds of companies, descended on Washington, D.C., for the Gartner Security and Risk Summit. As the conference comes to a close, it seemed appropriate to step away from the sessions and bustling exhibit halls to enjoy the balmy 95-degree D.C. morning and reflect on what was seen and heard so far. In the interest of time (your time), the top 100 revelations have been paired down to the five found most interesting.
1. IT challenges: we've come a long way, baby!
Remember the 5.25” floppy diskette?* (If you still have one, ten points for you!) In one of the Gartner sessions, “Addressing Network Security Challenges in 2017,” we were reminded of our past in the story of the ever-evolving IT challenge. It started with the need for a new security technology to help protect against threats being spread by floppy discs — and AV was born. When Novell set the IT world on its ear with something called the "network,” we saw the emergence of newer techniques, like the firewall. The session’s takeaway: every new IT challenge requires a change in thinking, and trying to solve new challenges with old solutions is neither transformational nor likely to succeed.
The progression of SaaS provides a current example of this problem. As apps leave your data center, you need a security stack that is similarly freed from your network. Forcing traffic through data center appliances before it can get to the Internet creates latency, the enemy of cloud apps. Moving security to the cloud results in a fast user experience, so it helps to deliver on the productivity promise of SaaS.
2. Where is all the good malware hiding?
Gartner claims that by 2020, more than 60 percent of organizations will fail to decrypt HTTPS (SSL) traffic. That’s an alarming figure in light of the increased use of HTTPS (according to Mozilla, it’s already accounting for 50 percent of all Internet traffic) and the increased use of HTTPS to hide malware. With the limitations of today’s appliances, looking inside SSL seems to be a puzzle many organizations will be trying and failing to solve for some years to come. But with Zscaler’s native SSL inspection in the cloud, you can be up and running with SSL inspection from day one.
3. Ransomware, thou name art not zero-day
You don’t have to fly 3,000 miles to a security conference to hear about ransomware; it’s everywhere. Even so, we got a startling reminder about how vulnerable organizations remain. As we know, ransomware can leverage newly found security holes (zero-day), and security vendors at this conference are quick to tout their latest sandbox appliances designed to thwart such attacks (at astonishing prices). But the bulk of ransomware attacks leverage known vulnerabilities, which means that signatures are not being updated frequently enough and patches are not being implemented. The answer is in the cloud effect. Because the Zscaler cloud processes 30 billion daily requests, it amasses a lot of threat intelligence and gets more than 120,000 security updates every day. If a threat is detected anywhere in our cloud, protection is immediately distributed to all users.
As reported in Verizon’s latest Data Breach Investigation, “Ransomware notes are now the most profitable form of writing.” As long as ransomware remains a cash cow, IT will need to keep its eye on three fundamental goals: train users to remain on alert, patch your systems early and often, and make sure you can deliver security to all your users, on or off network, with the latest protections.
4. The Software-Defined Perimeter is the cool kid on the block
Gartner identified the Software-Defined Perimeter (SDP) as a Top 10 technology you should be exploring in 2017. An SDP allows IT to use software-defined policies to connect named users to named apps. By shifting away from a network-based access model to a policy-based model, you decrease your attack surface. That’s because you no longer need to put users on an entire network to give them access to an application. You simply allow the user to connect to the app, with no network or VPN required. This approach creates application segmentation, which minimizes the ability of threats to move laterally within your environment. If you’d like to read more about SDP, I encourage you to check out Zscaler Private Access.
5. Everything here sounds the same
Gartner reported that 70 percent of its customers surveyed have difficulty distinguishing between various security products. Which means the industry as a whole needs to do a better job of highlighting key differences, such as those between security solutions that were born in the cloud and those that were simply moved to a remote data center and labeled as “cloud.”
No doubt, identifying the right solutions to solve your IT challenges is as daunting as it is important. There’s plenty of information out there, which you can parse if you’ve got a few months to spare. But better yet, talk to trusted peers and your counterparts in other organizations. Find out how they’re supporting cloud applications, like Office 365. How are they securing traffic to and from apps in public and private clouds? What are they doing about their aging VPNs?
I hope you’ll take a moment to explore the ways that Zscaler can help you with all of these initiatives, protecting your users today and enabling you to securely transform to a cloud-enabled organization.
*If you’re too young to remember the floppy, prepare to be amazed: https://en.wikipedia.org/wiki/Floppy_disk