Cloud and mobility have changed how we work, lending access to information 24/7. This transformation, however, has unleashed havoc proving that IT practices must change to reflect today's hyper-connected world. Enter CHAOS Theory – Control Havoc And Overhaul Security – best known as a popular theory among mathematicians which, when applied to IT, proves to be a management tool among the clutter.
Power lies with users thanks to mobility and cloud as IT teams scramble to protect corporate applications and proprietary information across personal smartphones and tablets. Business units and workers are embracing public cloud services for everything from document-sharing to payment services, concepts that make CISOs cringe. We see business users sidestep IT departments' strict compliance and security policies through provisioning “rogue services” with company credit cards, leaving IT teams to discover these transactions months later, if at all. However, IT teams have an opportunity to adopt more contextual-based controls by thinking in terms of who, what, where and when versus relying solely on controls at key points in the infrastructure.
The industry needs to embrace innovative security and identity architectures so organizations can protect users' identities, devices and data, wherever and whenever they are.
While security of the cloud itself is often cited as a roadblock, the power of the cloud – and the crowd – can be used for our protection. Cloud-based threat data can help make more accurate predictions about risk because it provides an aggregate view of threats seen around the world to better enable risk periodization. The real-time nature of the cloud can protect us in a way that post-event anti-virus signatures cannot, and organizations of all sizes can benefit from shared expertise of security experts and best practices around the globe.
Now is the time for infosec pros to embrace CHAOS and protect organizations from the realities of our always-on world.
Evelyn de Souza is a senior cloud compliance strategist for the security technology group at Cisco and co-chair of the Cloud Security Alliance Cloud Controls Matrix (CCM).