The enterprise workplace has changed significantly over the past few years with the rapid adoption of hybrid work. Organizations across all industries can leverage digital workspaces to implement hybrid work models that (1) provide employees with a superior user experience, (2) meet security, productivity, collaboration, and employee satisfaction goals for the business, and (3) are manageable for IT.

The way forward is implementing a digital workspace solution that can deliver a high-quality user experience for a wide variety of employee needs and keep business information secure. Digital workspaces closely replicate the on-premises experience when an employee is off-site or at home, so employees can continue to be productive wherever they want to work.

What is a digital workspace?

Digital workspaces allow employees to access their work in real-time, from anywhere they have a network connection and using any device. It encompasses virtual desktop infrastructure (VDI), data centres, edge, workstations, and applications, whether onpremises or in the cloud, endpoints, collaboration technologies, management and administrative tools, as well as secure access policies and tools.

The virtual nature of digital workspaces makes them highly accessible—corporately managed devices that remain in an office space aren’t a requisite to securely access company data and applications.

 A digital workspace that lives on a cloud or on a server stack can be accessible on employee’s devices, Zero Clients, and Thin Clients.

Digital workspaces include collaboration features so employees and peers can work together on the same project—even on the same workspace—when they aren’t physically in the same space. They also allow users to share resources. Teams in the same city, or even around the world in different time zones, can leverage shared hosts and applications. To find out more on how to create secure, collaborative and productive digital workspaces click here. For more information on ensuring secure access to digital workspaces click here.

Remote Work

Staying in control and securing your data has never been more important. As data privacy regulations continue to evolve, businesses have had to adapt how and where they store data. The EU’s General Data Protection Regulation (GDPR) has been the most newsworthy, requiring all businesses that operate in or have customers in the EU to change how they handle personal data. Regulations, compliance, and how data is controlled and managed is becoming more of a critical factor globally, with more than 157 countries around the world having some form of data privacy laws, and thus putting a spotlight on sovereign clouds.

In addition to rights to transparency and security granted by regulations such as GDPR, more countries worldwide are starting to create rules around data sovereignty. This ‘protectionism’ restricts where data can go and who has jurisdiction over the data. New rules around data sovereignty are designed to keep data out of the hands of other countries, bad actors, and those without authorised access.  

Data sovereignty is the right to control citizens’ data collection, ownership, and application

To ensure compliance with data privacy and sovereignty laws, organisations are looking to sovereign cloud solutions to protect their sensitive data. Sovereign clouds are operated by experienced national cloud providers who can provide dedicated cloud storage that complies with local regulations. 

There are four key use cases to consider around sovereign cloud. This post will cover all four in brief, or you can read the in-depth posts on each topic. 

Data Sovereignty in the Cloud

Data Security and Compliance

Data Access and Integrity 

Data Independence and Mobility

Data Sovereignty in the Cloud 

A significant hurdle for complying with data sovereignty regulations is the dominance of US-based companies in the public cloud computing market. These providers are subject to the US Cloud Act, which could result in the US government accessing data, even if it is stored in another country but with a US-based company.  

Sovereign cloud protects your data from interference by foreign authorities. All data, including metadata, resides locally, making it easier to comply with residency laws and other local sovereign requirements. Using a sovereign cloud allows you to stay in control of your data and ensure it’s compliant with regulations.  

Data Security and Compliance 

Sovereign cloud providers use multi-layered security and access controls to protect data. This prevents unauthorised access and data loss in the face of growing cyberattacks. Additional data protection steps should be taken by the provider, such as encryption and air-gapped storage.  

Compliance is critical to comply with data sovereignty laws, from where data is stored to who can access it. As laws evolve, compliance staff must understand and follow relevant local and industry regulations. Sovereign cloud providers have been approved for security controls as part of the 20-point self-attestation process which provide consistent security, zero trust principles and micro segmentation in addition to having local compliance experts to keep up with the latest laws. 

VMware Sovereign Cloud helps organisations comply with data privacy laws by partnering with local cloud providers to build sovereign clouds based on VMware’s framework that are based entirely within a local jurisdiction. These VMware Cloud Verified partners have local staff with security clearances (if required) and expertise with local laws to ensure the compliance of the sovereign cloud environment. These providers offer continuous compliance monitoring, reporting, and remediation so data follows local and industry regulations.

Data Access and Integrity 

Having data is useless if you can’t access it when you need it. That’s why access and integrity are required components of a sovereign cloud. With multiple in-region data centres, providers can offer 99.999% uptime in addition to backup and recovery protocols that meet data sovereignty requirements. 

VMware Sovereign Cloud provides secure access to sensitive data and protects its integrity to allow organisations to unlock value from their data and to ensure it is accurate and complete. In-region data centres with high availability, resilient infrastructure, and low latency make data accessible when needed. Secure access presents new opportunities for data analysis that can fuel innovation and improve local economies. 

Data Independence and Mobility 

Data sovereignty laws have placed restrictions on how data travels across national or regional borders. These data movement and sharing restrictions can cause companies to limit where they do business to avoid compliance headaches. Sovereign clouds can prevent these issues by keeping a company’s sensitive data compliant while operating as part of a broader multi-cloud ecosystem that supports the overall business.

VMware Sovereign Cloud helps organisations future-proof their cloud infrastructure with data independence, interoperability and mobility. Data can be shared and migrated as needed to respond to changes in technology or geopolitics. A sovereign cloud is compatible with multi-cloud or hybrid cloud strategies and is separate from the underlying infrastructure, preventing vendor lock-in. Workload migrations into or out of a sovereign cloud are secure, allowing organizations to deploy and move data anywhere as needed.

Learn more about VMware Sovereign Cloud:

Download the Sovereign Cloud Solution Brief

Watch the Sovereign Cloud Overview video  

Find and connect with a Sovereign Cloud Provider in your region

Join the conversation on Sovereign Cloud on LinkedIn

Cloud Management, Cloud Security, Data Management, Data Privacy, VMware

Staying in control and securing your data has never been more important! As data privacy regulations continue to evolve, businesses have had to adapt how and where they store data. The EU’s General Data Protection Regulation (GDPR) has been the most newsworthy, requiring all businesses that operate in or have customers in the EU to change how they handle personal data. Regulations, compliance, and how data is controlled and managed is becoming more of a critical factor globally, with more than 157 countries around the world having some form of data privacy laws, and thus putting a spotlight on sovereign clouds.1 

In addition to rights to transparency and security granted by regulations such as GDPR, more countries worldwide are starting to create rules around data sovereignty. This ‘protectionism’ restricts where data can go and who has jurisdiction over the data. New rules around data sovereignty are designed to keep data out of the hands of other countries, bad actors, and those without authorized access.  

Data sovereignty is the right to control citizens’ data collection, ownership, and application.2  

To ensure compliance with data privacy and sovereignty laws, organizations are looking to sovereign cloud solutions to protect their sensitive data. Sovereign clouds are operated by experienced national cloud providers who can provide dedicated cloud storage that complies with local regulations. 

There are four key use cases to consider around sovereign cloud. This post will cover all four in brief, or you can read the in-depth posts on each topic. 

Data Sovereignty in the CloudData Security and ComplianceData Access and Integrity Data Independence and Mobility

Data Sovereignty in the Cloud 

A significant hurdle for complying with data sovereignty regulations is the dominance of U.S.-based companies in the public cloud computing market. These providers are subject to the U.S. CLOUD Act, which could result in the U.S. government accessing data, even if it is stored in another country but with a U.S.-based company.  

Sovereign cloud protects your data from interference by foreign authorities. All data, including metadata, resides locally, making it easier to comply with residency laws and other local sovereign requirements. Using a sovereign cloud allows you to stay in control of your data and ensure it’s compliant with regulations.  

Data Security and Compliance 

Sovereign cloud providers use multi-layered security and access controls to protect data. This prevents unauthorized access and data loss in the face of growing cyberattacks. Additional data protection steps should be taken by the provider, such as encryption and air-gapped storage.  

Compliance is critical to comply with data sovereignty laws, from where data is stored to who can access it. As laws evolve, compliance staff must understand and follow relevant local and industry regulations. Sovereign cloud providers have been approved for security controls as part of the 20-point self attestation process which provide consistent security, zero trust principles and micro segmentation in addition to having local compliance experts to keep up with the latest laws. 

VMware Sovereign Cloud helps organizations comply with data privacy laws by partnering with local cloud providers to build sovereign clouds based on VMware’s framework that are based entirely within a local jurisdiction. These VMware Cloud Verified partners have local staff with security clearances (if required) and expertise with local laws to ensure the compliance of the sovereign cloud environment. These providers offer continuous compliance monitoring, reporting, and remediation so data follows local and industry regulations.

Data Access and Integrity 

Having data is useless if you can’t access it when you need it. That’s why access and integrity are required components of a sovereign cloud. With multiple in-region data centers, providers can offer 99.999% uptime in addition to backup and recovery protocols that meet data sovereignty requirements. 

VMware Sovereign Cloud provides secure access to sensitive data and protects its integrity to allow organizations to unlock value from their data and to ensure it is accurate and complete. In-region data centers with high availability, resilient infrastructure, and low latency make data accessible when needed. Secure access presents new opportunities for data analysis that can fuel innovation and improve local economies. 

Data Independence and Mobility 

Data sovereignty laws have placed restrictions on how data travels across national or regional borders. These data movement and sharing restrictions can cause companies to limit where they do business to avoid compliance headaches. Sovereign clouds can prevent these issues by keeping a company’s sensitive data compliant while operating as part of a broader multi-cloud ecosystem that supports the overall business.

VMware Sovereign Cloud helps organizations future-proof their cloud infrastructure with data independence, interoperability and mobility. Data can be shared and migrated as needed to respond to changes in technology or geopolitics. A sovereign cloud is compatible with multi-cloud or hybrid cloud strategies and is separate from the underlying infrastructure, preventing vendor lock-in. Workload migrations into or out of a sovereign cloud are secure, allowing organizations to deploy and move data anywhere as needed.

For more info on VMware Sovereign Cloud…
Download the Sovereign Cloud Solutions Brief by clicking here or watch the Sovereign Cloud Overview video by clicking here.
Learn more about sovereign cloud from VMware or to connect with a provider in your region, visit https://cloudsolutions.vmware.com/services/sovereign-cloud.html or join the conversation on Sovereign Cloud on LinkedIn by clicking here.

Sources: 
1. Now 157 Countries: Twelve Data Privacy Laws in 2021/22, SSRN, Graham Greenleaf, University of New South Wales, Faculty of Law, March 2022 
2. Hinrich Foundation, Data is disruptive: How data sovereignty is challenging data governance, August 2021

Cloud Computing, Cloud Security

While mobile devices are the symbol of business continuity, they are also the mark of easy prey for cybercriminals. In fact, 75% of companies experienced a “major” mobile-related security compromise in 2022. And that risk brings high costs with it. When remote workers are the root cause of a data breach, mitigation costs rise 20% hiking the price tag up from $4 million to $5 million.

And it’s not just cybercriminals profiting from loopholes in corporate mobile security.

Regulations like GDPR and SOC2, as well as government agencies themselves, have all taken aim at mobile vulnerabilities. In October, the federal Securities and Exchange Commission fined 16 financial firms $1.8 billion after they failed to prevent employees from communicating with clients via their personal devices.

With the proliferation of personal devices used for work, most executives are bracing for impact and recognizing that it’s time to strengthen endpoint security. Whether you are working to avoid federal agents or rising ransomware attacks, here are the best practices for improving the security posture of your corporate mobile fleet.

Remove blind spots to strengthen mobile security 

Widening protections for the entire fleet starts with understanding your devices and where their vulnerabilities hide, as uncovering security blind spots is half the success equation.

Companies are highly reliant on their mobile devices and yet many manage hundreds or thousands of them using poor recordkeeping practices. Comprehensive security starts with a registry that defines what the fleet has, what state it is currently in, and what applications, access methodologies, and services it uses. Devices can include laptops, phones, iPads, watches, scanners, sensors, and a variety of wireless tools.

Gaining visibility is the first step in identifying and managing every device into a known state. Network analytics, usage audits, Shadow IT discovery tools, and IT expense management platforms can be helpful in establishing a working inventory that can be expanded with detailed information about ownership, operating systems, users, their associated applications as well as the security risk of each application in use. A centralized system also helps with overarching insights to prioritize security efforts. For example, you may want to start with high-volume devices or those that use applications bringing the highest security risk.

Consider your mobile strategy and its impact on security

With an accurate assessment of company-owned and employee-owned devices, now is a good time to evaluate how your mobile strategy and device ownership policy uphold security. More devices expand the attack surface for bad actors, and the lack of standardization can make security complex with a broader range of operating systems, device types, applications, and other hardware-based risks for IT teams to manage.

One Vanson Bourne study showed 81% of companies are shifting their corporate policies due to challenges in security and management. At companies with a Bring-Your-Own-Device (BYOD) policy, 65% of devices accessing corporate information are personally owned. This reveals the intertwined relationship between employee devices and the information companies must protect. While today’s dominant approach is to use a BYOD approach with mobile phones and corporate ownership for laptops, tides are shifting as companies better balance security requirements with the convenience of employee devices.

Best practices: configure and secure devices into a known state

Building a foundation for mobile security should start with leading security frameworks, such as the Cybersecurity and Infrastructures Security Agency’s (CISA) Zero Trust Model for Enterprise Mobility, which includes mobile security techniques as well as tips for using the built-in security features of mobile operating systems. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is also helpful in process design.

The act of securing devices requires applying technologies to exert visibility and control over the entire fleet. This way companies can examine the operating system versions, configurations, and firmware, identifying any loopholes or security threats. Moreover, these tools can ensure applications comply with enterprise security standards, detect when system changes have been made, and empower IT teams to take swift action regarding threat investigation and mitigation. Unified endpoint management solutions (also known as mobile device management solutions) package these security tools and services together for ease of implementation and ongoing management.

Particular attention should be paid to:

Cloud-based security compatible across a range of devices, allowing for the widest applicability and the broadest standardization of security across the entire fleet.System updates and patches with real-time, granular insight into device compliance across the operating system, web browsers, and applications in use.Multi-factor and password-less authentication, as compromised passwords are a key cause in mobile device data breaches.Multi-layer security addressing the core, hardware, firmware, and applications.Zero trust network access capabilities on a continuous basis, reducing the attack surface through an identity-based approach to security and access management .Physical separation —whether its network segmentation applied to mobile and IoT devices, secure containerization separating personal information, or data isolation blocking unauthorized communications, separation makes sensitive information more difficult to access.Location tracking and remote controls allow IT teams to digitally control functions from afar, including finding, locking, and unlocking devices, pushing content and applications, and wiping functionality either individually or entirely.Automation and analytics make it faster and easier to manage mobile security.Machine learning and behavioral analytics are best for monitoring threats and accelerating the time to identify malware, ransomware, and zero-day attacks.Process automation eliminates repetitive, manual tasks necessary in maintaining inventories, preparing devices for employee use, and reducing IT intervention when remediation or quarantine actions are needed to bring the fleet into compliance.Dashboards should summarize the active risk exposure including vulnerabilities associated with each endpoint, and automation should prioritize response and remediation based on the likelihood of a breach  .

Often companies have too many devices to secure and too few resources to do the job effectively. That leaves security unchecked at critical moments in the lifecycle of a device, such as during preparation stages, threat mitigation procedures, and employee on- and off-boarding. At these junctures, each device must be protected comprehensively, outfitted with the company’s unique security applications, updated with the latest patches, and enabled with encryption, firewalls, anti-virus, and built-in security features—all before devices are put back into the hands of users.

This explains why many IT teams need to add the support of asset management services to their mobile security software purchase. When IT resources are already overstretched, service providers can handle inventories, orders, service providers, invoices, mobile help desk support, configurations, repairs, and decommissioning and reassignments.

Holistic endpoint security practices

Advanced security capabilities alongside dedication and discipline are necessary in order to configure devices into a compliant state and maintaining that known state is essential as both the business and the threat landscape perpetually evolve.

Mobile security pressures will continue to rise in parallel with more cybersecurity attacks, changing compliance requirements, and more devices to manage. Companies that can make and keep a concentrated effort on mobile security will rise above these challenges by exposing any blind spots inside their fleet, operationalizing a data-driven mobile strategy, and making proactive and ongoing security protections an integrated element of their mobile-first business.

To learn more about mobility management services, visit us here.

Cloud Security

According to a PwC report, one in three consumers (32%) say they will walk away from a brand they love after just one bad experience. Unlike personal relationships, loyalty in the consumer world can be surprisingly transitory. This gets worse in the digital world where it takes just a few clicks and minutes to uninstall one app and replace it with a competitor’s app. There are similarities between how loyalty is formed in the physical and digital world. It all boils down to two things – how you feel about that relationship and how much time you are investing in it.

Deliver Delightful Customer Experiences

156. That’s the number of apps I’ve installed on my mobile phone. On any given day, I will be using at least 10% of them. And out of these, my favourite app is a local banking app. It’s one app that I feel was designed just for me. It’s completely intuitive, allows me to perform most tasks in less than 3 clicks, has all the functions that I need to perform banking on-the-go, is constantly updated with new features, comes with great performance and stability and most of all is very secure. These are what I’d refer to as key ingredients to provide delightful customer experiences.

A great amount of design thinking goes into building such modern apps that deliver intuitive user experiences. A pod-based team structure can be set up where you have all the stakeholders responsible for delivering the app. There needs to be strong alignment amongst all the stakeholders ranging from the software developer, the product manager, line of business all the way to the quality engineer. Everyone should know what they are delivering, why they are delivering and how they will be delivering.

Leveraging the right set of technologies will be a key success criterion for such apps. The app should adopt a cloud native architecture to ensure agility, scalability, and resilience. Security should be incorporated from the earliest stages of app development to minimize risk, time, and costs. These best practices coupled with a sound design thinking approach can help enhance customer experience and as a result improve loyalty.

Elevate Customer Engagement

Another way to measure loyalty in the digital world is by the amount of time consumers are using an app. App engagement time is crucial as it influences revenues through ads, spendings, as well as consumer data that can be monetized in the future. To maximize engagement and app-stickiness, companies are increasingly introducing more revenue-generating offerings within their apps. To that end, we’ve seen the rise of the one-app-to-rule-them-all aka a Superapp. Some of the well-known Superapps in Asia are household names e.g., Grab, Gojek, WeChat and PayTM. Grab for example started out as a ride-hailing app. Today its offerings include deliveries, mobility, financial services among others. Gartner anticipates that Superapps will be one of the top 10 strategic technology trends for 2023.

A major downside of a Superapp is that if compromised due to security vulnerabilities in the app’s code, a malware in its libraries, or a configuration error, it can become the-one-key-to-access-them-all for bad actors. It can be a free pass to not just tamper with, but also exfiltrate all types of sensitive consumer data. According to a McKinsey report, 71% of consumers said they would stop doing business with a company if it gave away sensitive data without permission.

To tackle this data privacy issue, all data exchanges within a Superapp should be encrypted. In addition, we should also perform real time monitoring of sensitive data leaks such as credit cards, and other personal identifiable information (PII).

Engage a Trusted Partner

To build customer loyalty in the digital world, businesses need to delight customers and keep them engaged. Leveraging cloud-native architectures, incorporating sound security and data privacy practices, and using design thinking methodology will be instrumental in building modern, secure, and engaging apps. In addition, it will also be important to engage the right technology partner who can support you on this journey.

For the past 30 years, SUSE has been helping customers realize their business goals through transformative and cutting-edge open-source technologies.

Rancher Prime is an industry leading platform that helps companies roll out scalable and resilient cloud native and container-based apps across a distributed IT landscape. It empowers DevOps teams to build and deploy modern apps and updates in a rapid and automated manner.SUSE NeuVector protects apps from bad actors throughout its software lifecycle from development to production environments. It helps security teams implement zero trust controls for apps that may be running in a distributed environment. NeuVector also comes with advanced preventive threat capabilities to prevent data loss in real time.

Learn more at this link: Rancher by SUSE.

SUSE

Vishal Ghariwala is the Senior Director & CTO, APJ and Greater China for SUSE, a global leader in true open source solutions. In this capacity, he engages with customer and partner executives across the region, and is responsible for growing SUSE’s mindshare by being the executive technical voice to the market, press, and analysts. He also has a global charter with the SUSE Office of the CTO to assess relevant industry, market and technology trends and identify opportunities aligned with the company’s strategy.

Prior to joining SUSE, Vishal was the Director for Cloud Native Applications at Red Hat where he led a team of senior technologists responsible for driving the growth and adoption of the Red Hat OpenShift, API Management, Integration and Business Automation portfolios across the Asia Pacific region. Before that, he spent a significant amount of time with leading middleware vendors such as IBM, ILOG and Intalio, as well as the public sector.

Vishal has over 20 years of experience in the Software industry and holds a Bachelor’s Degree in Electrical and Electronic Engineering from the Nanyang Technological University in Singapore.

Vishal is here on LinkedIn: https://www.linkedin.com/in/vishalghariwala/

Application Security, Mobile Development

As companies lean into data-first modernization to deliver best-in-class experiences and drive innovation, protecting and managing data at scale become core challenges. Given the diversity of data and range of data-inspired use cases, it’s important to align with a robust partner ecosystem. This can help IT teams map the right set of services to unique workflows and to ensure that data is securely managed and accessible regardless of location.

Data volume has become a challenge for organizations as the size and velocity of data increase. Yet there’s no singular, one-size-fits-all framework for secure data storage and management. According to IDC, global data creation and replication will experience a compound annual growth rate (CAGR) of 23% by 2025. This means that organizations need access to a range of solutions for storing sensitive data at scale, especially considering mounting regulations that vary by geography and industry. Two well-known examples: GDPR in Europe and HIPAA privacy rules for health information in the U.S.

With data well situated as the lifeblood of organizations and as a core competitive differentiator, data security becomes paramount. The rise in ransomware attacks and other cybersecurity breaches has raised awareness of the issue and made securing the IT estate a top C-suite priority. 

Upgrading IT and data security to reduce corporate risk was the No. 1 CEO priority for respondents to the IDG/Foundry “State of the CIO Study 2022” research, cited by a third of the respondents. Almost half (49%) called out increasing cybersecurity protections as the top business initiative driving IT investments this year, up from 34% in 2021. 

The push for elevated cybersecurity protections is also filtering down into storage and data management requirements. Gartner research shows that 60% of all enterprises will require storage products to have integrated ransomware defense and mitigation mechanisms by 2025, up from 10% in 2022.

As enterprises modernize with cloud, connectivity, and data, they are gravitating to technology-as-a-service models to refashion IT estates. Traditionally these IT ecosystems feature silos spread across multiple environments, including on-premises data centers and colocation facilities at the edge or across diverse cloud platforms. Compounding the complexity: the problem of multigenerational IT and the challenge of establishing resilience and cybersecurity across workloads. This considering the disparity of the environment and due to mounting cybersecurity, regulatory, and privacy challenges. 

Without an overall strategy for modernization, companies risk mismanaging their edge-to-cloud data efforts, either overprovisioning, which incurs unnecessary costs, or underprovisioning, which impedes their ability to fully deliver for customers or hit key business goals. They may also lack on-location staff expertise to design and manage robust cybersecurity protocols. 

“Customers want to be provided with integrated and optimized hardware and software platforms … to make sure there’s no disruption at all in the business,” says Valerie Da Fonseca, worldwide GreenLake and GTM senior director at HPE. “The key here is to shape the right data strategy, so you simplify data management and provide access controls in an as-a-service model.”

Partner Ecosystem at Work

A rich partner ecosystem is essential for delivering next-generation secure data management protection from edge to cloud. HPE GreenLake’s backup-and-recovery services help companies fulfill data protection service-level agreements (SLAs) without having to make upfront capital investments or take on overprovisioning risk. On-demand cloud backup and recovery services ensure resilience at scale and allow for an agile response to changing business needs. Preconfigured on-premises solutions provide extended options, and a rich ecosystem of third-party partners gives customers choice.

The HPE GreenLake data protection portfolio delivers next-generation data protection services, from design and implementation to delivery with no vendor lock-in. The life cycle starts with HPE’s Zerto ransomware protection and disaster recovery services and extends to hybrid cloud data protection with the HPE Backup and Recovery Service. Finally, HPE offers on-premises data protection with HPE StoreOnce, a modernized data management solution for hybrid cloud that simplifies operations and delivers data protection based on common SLAs. Additional backup-and-recovery options from ISV partners such as Veeam, Commvault, and Cohesity complete the picture, ensuring that HPE GreenLake for Data Protection Services provides a breadth of choice to make data backup-and-recovery operations seamless and automated.

“The partner ecosystem delivers a comprehensive, end-to-end suite of services that adds value to HPE’s data protection strategy,” Da Fonseca says. “We are integrating everything into our hardware and HPE GreenLake as-a-service platform, and the solutions can be located everywhere and anywhere and be fully managed if customers don’t have the staff.”

To ensure the right data management/protection mix, HPE works with customers to understand their business needs and IT management challenges, creating a holistic strategy that encompasses the right partners and operating model. That level of comprehensive planning is crucial to safeguarding data and ensuring an end-to-end data management strategy that truly mitigates risk and meets the needs of the business. At the same time, making data protection available as a service streamlines the customer experience, providing time-to-market and cost advantages.

For more information, visit https://www.hpe.com/us/en/solutions/edge-to-cloud.html

Data Management

By Christian Aboujaoude, chief technology officer at Keck Medicine, USC

In the pre-pandemic days, security solutions could be more basic. Securing the perimeter could be likened to locking the door of your house. But with remote workers taking devices off premises and sometimes using their own, securing the workplace requires a new approach. Sophisticated threats come from every angle, and preparing a complete defense is vital.

We are in an environment of constant change and unexpected events. Just when many people began welcoming a post-pandemic world, cases started rising again, and the need to apply proper controls, governance, education, and tools for remote workers once more became top of mind for many cybersecurity leaders.

For CISOs and their teams, the challenge is to build a culture that facilitates the ability to adapt to change on an ongoing, continuous basis. This requires a new mindset in securing all users — remote users, in particular. It also means evolving your approach so that cybersecurity is no longer viewed by business management as a cost center, but rather as a means of competitive differentiation and innovation for the organization.

In my view, there are three critical aspects to changing the culture and mindset to adapt to current and future cybersecurity challenges, particularly as remote work becomes more deeply ingrained as a business requirement:

1. Education: Develop a deep understanding of every aspect of your organization and spend a lot of time and attention on education – for everyone, whether they are on your security teams, in your executive suite, front-line workers on-premises, remote workers, or anywhere else in your ecosystem.

2. Technology: Even in some larger organizations, basic technologies – such as multi-factor authentication or secure VPN – are not given the priority necessary to allow remote workers to operate in a more controlled environment. It is important to have the basics under control before adding innovations, such as Zero Trust.

3. Procedures and practices: It is vital to maintain a philosophy of ongoing education along with continuous evaluation of the technology your organization is using or, in some cases, not using. From a procedural perspective, you must understand everything in your environment. Once you understand it, you can assess and address its impact on your current risk and overall risk profile.

1. Leveraging education to secure remote workers

The reason education tops my list is that over 80% of cybersecurity events relate to people. Everyone needs to truly understand what cybersecurity is — and that it’s not just a password or two-factor authentication. Cybersecurity is an approach — a mechanism. It’s how you go about conducting work. Achieving a strong cybersecurity posture takes cultural change, behavioral change, and constant learning.

When users were largely on premises, most organizations could compensate for potentially dangerous behavior by having multiple controls to help protect them. However, when those same people go remote, there’s a bit of a loss of control and governance. There are technologies to help cover user behavior, but it is better when the behavior doesn’t exist in the first place.

This means that we must educate folks on cyber hygiene, making sure they understand that the steps they take at work may not be the steps they take when they are working remotely or from home. This is especially critical in this very open-ended environment, where a user’s device may be used by other people in the home.

2. Leveraging technology to secure remote workers

Strong foundations are also important from a technological perspective. You must make sure you have controls, processes, and governance for multi-factor authentication and secure VPN. It’s those things that pave the way for Zero Trust.

My best advice is to approach everything from the bottom up, understanding not just your inventory but every single behavior that takes place from a public-facing standpoint. This is especially important for remote workers. I good place to start is by asking yourself and your team key questions:

Do we know what our environment actually contains?Are we aware of all the devices and services running in our environment?Do we have an inventory of all of our IoT devices?Do we understand the needs and potential risks of all of our users?Do we know the needs of each application and user based on key criteria such as performance, availability, resilience, data usage, and, of course, security?

Fundamentally, you need technology tools that can exist on your network and identify all connected devices. I’m talking about tools that are able to actually interrogate the network, understand packets, and capture specific metadata for each device to determine how it lives on the network.

3. Leveraging procedures and practices to secure remote workers

If you haven’t figured it out by now, I’m a huge stickler for inventory. From a process standpoint, you must understand your inventory: what it is, what it means, and why it matters — as well as its impact on your business and your security posture. 

So, from a procedure standpoint, you need something in place that is able to identify what you have in your environment. Then you must relate and correlate that information to any situation, to the point where you can say about any device: “This device is connected to this application that lives here and does that.”

From there, you can build a configuration management database (CMDB) approach to really understand your environment and have processes in place to integrate with your ITSM tool so you can execute the specific actions you need to take.

Maintaining ongoing processes also relates back to my first point: education. CISOs need to ensure training and education are continuing when people work from home or remote locations, and they need to have tests, controls, processes, and governance to continuously identify and correct non-malicious but potentially dangerous behavior. Quick-hit training without repetition rarely are effective.

My advice for CISOs and other cyber leaders

If I could leave CISOs and other cybersecurity leaders with a key takeaway from this article, it would be this: Every CISO should figure out how to balance the business operations of their organization with a security mindset that is not destructive to the business but is, in fact, built into the fabric of the business. In order to do that, I urge all security professionals to take the time to understand as much as they can about the business in which they work.

Note the emphasis on the business, not cybersecurity. Most security professionals know security exceptionally well. But if they don’t have an equally exceptional understanding of their business or organizational needs, they are potentially setting themselves — and their organizations — up for failure.

Whether you are the CISO or anyone on the security team, you need to be able to go to the people in any department and have detailed conversations with them related to their protection and their business needs. It may start with something simple: “We saw that you have these devices. They are not in compliance with our security posture, and we need to take this action or we will be forced to put it offline.”

Of course, the immediate reaction will be: “You can’t do that!” And the response is: “Yes, we know. That’s why we have to fix the problem.” A solution-focused and service-focused mindset is key.

The opportunity ahead

Remote work is here to stay. To make it successful, you have to make it secure. Cybersecurity leaders and their teams have an opportunity to make huge contributions to their organizations over the next few years by developing cyber-aware cultures that are both agile and responsive to the changing needs of their organizations.

By focusing on the fundamentals, CISOs can prepare themselves, their teams, and their organizations to be ready for whatever comes next. As we’ve learned all too well over the past few years, change is the only constant in cybersecurity. Be ready.

For more perspectives on cybersecurity, visit us online.

About the author:

Security Roundtable author, Christian Aboujaoude, is the chief technology officer at Keck Medicine, USC.

Data and Information Security, IT Leadership

By Milan Shetti, CEO Rocket Software

According to a recent Rocket Software survey, 80% of IT professionals categorize the mainframe as critical to their business. But in order to be successful in today’s technology-driven world, businesses that rely on the mainframe must modernize their operations and integrate the latest tools and technologies. Companies choosing to abandon their mainframe face a costly endeavor, risk downtime, and lose out on powerful benefits. Modernizing in place allows businesses to continue leveraging their technology investments through modernization without sacrificing the many benefits provided by mainframes.

One technology that modern mainframes need is secure open-source software. Four years ago, the Linux Foundation’s Open Mainframe Project introduced Zowe, a first-of-its-kind open-source framework based on z/OS, making it easier than ever to connect the gap between modern applications and the mainframe. Rocket Software is a founding member of the Zowe coalition, and our engineers have played an integral role in the evolution of the Zowe open-source framework. Open-source technologies provide organizations with the responsiveness and adaptability they need to implement advanced tools and practices that balance developers desire to work with the latest technology and organizational need for security and support.

Read on to learn more about why modern mainframes need secure open source.

Benefits of modernizing the mainframe

There is no denying the importance of mainframes within the enterprises that use them. Respondents to Rocket’s survey say the top three qualities that contribute to their organization’s reliance on the mainframe are reliability (34%), security (27%), and efficiency (22%). Modernizing in place is a great way for mainframe-reliant businesses to meet demands while positioning themselves for future success with an efficient and sustainable IT infrastructure.

Open-source software provides many benefits that can help businesses modernize mainframe development through capabilities that drive application and infrastructure modernization, accelerate application development, and enable the next generation of developers. Through DevOps/AppDev solutions, businesses can bring the accessibility of open source to the mainframe while ensuring the compliance and security of their system’s data. By automating processes, organizations can easily implement modern application development practices while ensuring compliance to organizational standards and business rules. Because of the development of open DevOps/AppDev solutions, businesses can bring applications to market faster, at lower cost, and with less risk.

Why the mainframe needs secure open source

Open-source solutions can provide the mainframe with a litany of benefits, but like any other technology, open source is not foolproof and comes with its own challenges. One of the main open-source challenges is regarding its security as applications are developed and delivered to and from the mainframe. Organizations are also concerned that if there are vulnerabilities found in open-source software, they will take a long time to fix. 

To overcome these challenges, organizations must take a security-first mindset and partner with industry-leading vendors to ensure that they have the capabilities to identify vulnerabilities and make fixes in time to mitigate security risks. For example, Rocket Support for Zowe gives users access to modern capabilities from the Open Mainframe Project’s Zowe open-source framework that makes it easier to interface and develop applications while providing 24/7 support, security, and compliance assurance.

The mainframe has been around for more than 50 years, and with the ability to integrate the latest technologies to match today’s business needs, it’s not going anywhere. Modernizing mainframe development with open-source software will enhance development practices while ensuring compliance to organizational standards and business rules.

To learn more about the power of open source on the mainframe, visit our website.

Digital Transformation

As the threat of climate change looms, organizations across every sector are focused on driving sustainable progress and innovation. Most of these organizations are measuring success based on their stated goals in environmental, social, and governance (ESG) initiatives and results. 

Now there is a way to quantify and verify those achievements. It’s called Project Alvarium and its mission is to create a framework and open APIs that help organizations reliably and securely quantify trust in data collected and analyzed near the point of conception. This secure data can deliver near real-time insights into an operations’ carbon footprint, thus increasing transparency and accuracy in reporting. 

Why Valid Sustainability Measurement Matters

As part of the imperative to slow or reverse global warming, some governments are regulating emission levels over time. Public pressure on companies and industries to reduce their carbon footprints is also having a major impact, especially among investors who want to align their hopes for environmental repair and renewal with where they invest their money.

Many companies claim that they pursue environmentally sustainable best practices when it comes to energy usage and pollution, yet few regularly report their results. In June, Bloomberg reported that a financial institution was fined by the U.S. Security and  Exchange Commission for falsely stating that some of the firm’s mutual funds had undergone ESG quality reviews. These regulatory efforts are an attempt to combat “greenwashing,” or incorrect reporting and reimbursements related to fraudulent or unsubstantiated claims about the environmentally responsible practices of companies. 

This begs the question: How can the carbon footprint of companies ― from employees to devices, materials, and processes ― be measured and quantified?

Project Alvarium

Available for use by any industry, Project Alvarium includes tools for monitoring, reporting, and verifying metrics in data confidence fabrics (DCFs) that quantify trust in data delivered from devices to applications. This open-source trust framework and software development kit (SDK), hosted by the Linux Foundation and announced in 2021, is the culmination a four-year collaboration among Dell, Intel, Arm, VMware, ZEDEDA, the IOTA Foundation, and ClimateCHECK. Trust in data, the applications and infrastructure used are quantified in a confidence score. The dashboard can be customized to include specific algorithms and indices related to different industries. Trust fabrics also make it easier to scale data and network security compliance requirements and to monetize data.

The project represents a collaborative effort to unify open source and commercial trust insertion technologies in a standardized environment. There is no single data confidence fabric. Instead, each organization can build their own with preferred technologies using the Alvarium framework. 

In a home environment, for example, there are many different Internet of Things (IoT) devices, from TVs and laptops to smartphones, cars, digital assistants, security cameras, and kitchen appliances. All are supported by intersecting trust fabrics from different vendors. Project Alvarium’s data confidence fabric can be adapted to a home environment to facilitate scalable, trusted, secure collaboration across heterogenous ecosystems of applications and services connected to an open, interoperable edge. Most recently, Alvarium has been put to work in helping to define what data confidence looks like in the climate industry.

Measuring and Quantifying Environmental Impacts

Recently the Project Alvarium framework was used to adapt an automated measurement, reporting and verification (MRV) solution at a biodigestion energy and composting facility at a winery in Chile. It processes data from sensors measuring water, solids, gasses, and anaerobic digestion processes to provide real-time insights into the facility’s carbon footprint. 

Deployed at the edge, it is available as a blockchain solution with high levels of trust, transparency, and security. The solution at the facility has enabled the local utility in Chile, Bio Energía, to replace manual process reviews with continuous, real-time, trustworthy monitoring and reporting that provides a much more accurate understanding of how different innovations impact carbon emissions. 

This type of trustworthy sustainability reporting provides the public with validated information on company practices. It can lower barriers to carbon credit issuance and lure more investors to fund businesses that are introducing new innovations to mitigate the effects of climate change.

Learn more about Project Alvarium and edge computing solutions at Dell Technologies.

***

Intel® Technologies Move Analytics Forward

Data analytics is the key to unlocking the most value you can extract from data across your organization. To create a productive, cost-effective analytics strategy that gets results, you need high performance hardware that’s optimized to work with the software you use.

Modern data analytics spans a range of technologies, from dedicated analytics platforms and databases to deep learning and artificial intelligence (AI). Just starting out with analytics? Ready to evolve your analytics strategy or improve your data quality? There’s always room to grow, and Intel is ready to help. With a deep ecosystem of analytics technologies and partners, Intel accelerates the efforts of data scientists, analysts, and developers in every industry. Find out more about Intel advanced analytics.

IT Leadership

By Liia Sarjakoski, Principal Product Marketing Manager, 5G Security, for Palo Alto Network Security

Governments, organizations, and businesses are readily embracing transformation at the edge of mobile networks these days. Mobile edge – with its distributed support for low latency, capacity for rapid delivery of massive data amounts, and scalable cloud-native architectures – enables mission critical industrial and logistic applications and creates richer experiences across remote working, education, retail, and entertainment. Bringing resources closer to the user enables a better user experience, serving mission critical applications and taking advantage of improved economics.

But, mobile edge, including Multi-access Edge Computing (MEC), requires a new kind of approach to cybersecurity. It is a new environment where the network, applications, and services are not only distributed geographically but also across organizational boundaries. Service providers’ 5G infrastructure and enterprise networks will be deeply intertwined. Further, the mobile edge will be highly adaptive. It will dynamically scale to meet demands of new applications and changing usage patterns.

Effective 5G edge security is best achieved through a platform approach that combines the protection of diverse mobile edge environments under one umbrella. A platform approach not only provides visibility for advanced, network-wide threat detection but it provides the necessary foundation for security automation. Automation is vital for security to keep up with the dynamically changing 5G environment.

We can think of 5G networks to include four types of edge environments. Effective edge security spans across all of these environments.

Palo Alto Networks

Regional data centers — protect distributed core network with distributed security

Driven by the explosion of mobile data and improving customer experience, service providers are distributing core network functions — e.g., Session Management Function (SMF) and Access and Mobility Management Function (AMF) — closer to the users to regional data centers. Service providers are able to improve user traffic latency and can optimize their transport architecture for cost savings.

As network functions — e.g., SMF and AMF — are brought to the edge of the network, securing them needs to take place there, as well. Instead of providing protection at one to three national data centers, it now needs to be implemented at five to 10 regional data centers. The key interfaces to protect are N2 and N4. Unprotected N2 interfaces can be vulnerable to Radio Access Network (RAN) based threats from gNodeB base stations (gNBs). Unprotected N4 interfaces can be vulnerable to Packet Forwarding Control Protocol (PFCP) threats between distributed user plane function (UPF) — e.g. located in a MEC environment — and the core network.

Additionally, SMF, AMF, and other network function workloads need protection in this typically cloud-native container-based environment.

The key for protecting the regional data center environment is a cloud-native security platform that can be automatically scaled to changing traffic or topology demands. At the same time, many of the threats are telco specific and preventing them requires built-in support for the telco protocols.

Public MEC — support user experience with cloud-native security

Public MEC is part of the public 5G network and typically serves consumer and IoT use cases. It integrates applications as part of the 5G network and brings them closer to the user. This improves the user experience while also optimizing the cost by deploying resources where they are needed. Public MEC is built into the service provider’s network by utilizing a distributed user plane function (UPF) to directly break out traffic to edge applications. Many service providers are partnering with cloud service providers (CSPs) on building these application environments as the CSP platforms have become the standard.

As third party applications become an integral part of the 5G networks, protecting and monitoring the application workloads and protecting UPF with microsegmentation promotes stopping any lateral movement of attacks.

Edge applications are also integral to the 5G user experience. Smoothly working applications for example, video content, AR/VR, and gaming promote service providers’ customer retention rate.

Securing the public MEC calls for a cloud-native, multi-cloud approach for cloud workloads and microsegmentation.

Private MEC – empower enterprises with full control over 5G traffic

Private MEC is deployed at an enterprise customer’s premises and is often set up alongside with a private 5G or LTE network, serving mission-critical enterprise applications. It utilizes a local UPF to break out user plane traffic to the enterprise network. The traffic is further routed to a low-latency edge application or deeper into the enterprise network. A key driver for private MEC adoption is privacy of the traffic — an enterprise has full control of its 5G traffic, which never leaves its environment.

Private MEC carries the enterprise customer’s data. In today’s distributed world with eroded security perimeters, many enterprises rely on the Zero Trust approach to protect their users, applications and infrastructure. A critical building block for implementing a Zero Trust Enterprise is the ability to enforce granular security policies and security services across all network segments — including 5G traffic. Service providers need to find ways to empower enterprise customers with full control over the 5G traffic.

At the same time, the service provider needs to securely expose interfaces from the customer’s premises to their core network — namely the N4 interface to SMF for PFCP signaling traffic originating from the private MEC.

Private MEC security requires a flexible approach to bring security to heterogeneous private MEC environments across appliance, virtual, and cloud environments. Many enterprises will choose to leverage partners for turnkey private MEC solutions and they will be requiring built-in security. Also cloud service providers are going after the private MEC market, and the ability to provide cloud-native security will be critical.

Mobile devices — most effectively protected with network-based security solutions

Accelerated by rapidly increasing IoT devices, the number of mobile devices is massive. The devices are heterogeneous across a multitude of software and hardware platforms. The limited computing and battery capacity of these devices often forces the device vendors to make compromises in security capabilities, making mobile devices a soft target. Infected devices can compromise organizations’ business critical data and disturb mission-critical operations. They also pose a risk to the mobile network itself, especially in case of botnet-originated massive, coordinated DDoS attacks.

The combination of limited device resources, heterogeneous device types and device vendors’ tight control of the platforms makes it difficult to implement device-based security solutions in scale. Network-based security, on the other hand, is a highly effective method to protect mobile devices at scale. When supported with granular visibility to user (SUPI) and device (PEI) level traffic flows, network-based security can see and stop advanced threats in real time. Organizations are able to protect their mobile devices across attack vectors including vulnerability exploits, ransomware, malware, phishing, and data theft.

Network-based security can be deployed as part of any of the edge environments or the service provider’s core network.

Staying on top of privacy in distributed 5G networks

Protecting private information is more important than ever. Handling of private information is heavily regulated and breaches can result in public backlash. As the mobile core network becomes more distributed, the service providers need to double down on protecting Customer Proprietary Network Information (CPNI) that is now often carried in the signaling traffic (e.g., N4) between MEC sites and regional and national data centers. Service providers often use encryption to protect CPNI.

Conclusion

Securing the 5G edge requires a zero trust approach that can scale across multiple different environments. The distributed 5G network no longer has a clear perimeter. Service providers’,  enterprises’, and CSPs’ assets and workloads are intertwined. Only through visibility and control across the whole system, can service providers and enterprises detect breaches, lateral movement, and stop the kill chains.

The new mobile networks are complex, but securing them doesn’t need to be. The key for simple 5G edge security is a platform approach that manages protecting the key 5G interfaces under a single umbrella — no matter if they are distributed across private and public telco clouds and data centers.

Learn more about Palo Alto Networks 5G-Native Security for protecting 5G interfaces, user traffic, network function workloads and more. Our ML-Powered NGFW for 5G provides deep visibility to all key 5G interfaces and can be deployed across data center (PA-Series), virtual (VM-Series), and container-based (CN-Series) environments. Our Prisma Cloud Compute provides cloud-native protection for container-based network function (CNF) workloads.

About Liia Sarjakoski:
Liia is the Principal Product Marketing Manager, 5G Security, for Palo Alto Network Security

IT Leadership, Zero Trust