ITSM & IT Security

eBOOK

The role of ITSM in the big IT security debate

IntroductionHacking threats such as WannaCry and others have caused budget holders to refocus on network and end-point IT security – but they may be missing the point.

There is little doubt that headline-grabbing events such as the WannaCry NHS attacks in the UK and beyond cause businesses, both public and private, to re-evaluate their IT security policies and the tools that they use to keep company information and networks secure.

In the days following the attack, the ever-increasing number of network and end-point security-led vendors started to extol the virtues of their application suites in protecting against and, in many cases dealing with, an existing threat.

eBOOK

Business interaction is changingTo face these modern threats, however, it is necessary to do more than just buy in increased IT security. Of course, this has a significant position in the IT arsenal, but there are many other areas where businesses can hugely increase their own data and application security, and this is where ITSM can play a significant role.

Service delivery has grown in terms of its reach and now typically manages both internal and external customers. This includes an ever-increasing amount of self-service automation, where customers can interact with the organisation in a more virtual way and have their issues or service requests resolved automatically. AI and chatbot functionality is adding to this automation and will soon be a common way to interact with first-line support.

But how does all this affect the IT security debate?ITSM has traditionally been deployed as on-premises, cloud SaaS or a hybrid cloud solution. Indeed, the many organisations that have been sensitive about their customer and employee data have driven the hybrid market, keeping their data in-house and maintaining their own IT infrastructure in the form of servers to hold the data. Such a set-up has one clear disadvantage in this new era of security investment.

Owning and maintaining your own server infrastructure is expensive and time-consuming. Servers need to be patched, updated, secure and guarded against the modern threats. In essence, they have become an expensive liability that the IT team is desperate to protect as a part of its responsibility.

Modern threats require modern thinkingThe benefits of SaaS are easy to evangelise, but the concerns for many organisations about pushing their data to the cloud run deep. The fact is, though, that the modern security threats faced by many of these organisations can be resolved in large part by switching their application usage to the SaaS model. Of course, not all SaaS is created equal, but there is no doubt that it removes the burden from IT in updating the applications in use and maintaining a costly infrastructure from threats. Instead, the management of such threats resides with the vendor supplying the ITSM application and, of course, the solution backbone that delivers the SaaS itself, be it AWS, Azure or similar.

Furthermore, the delivery of ITSM SaaS gives IT departments a whole raft of other benefits in security terms. Many ITSM vendors offer the ability to manage licenses, deploy patches and updates and can remotely control a user’s system in doing so. But what happens when an employee’s device becomes infected, gets stolen or hacked? One of the key benefits of switching to SaaS is that you can immediately block an account and then access, control and reinstall the account on another device.

This can significantly improve the control that IT has over user access, but it also hugely reduces the complexity and time taken to rebuild a user laptop, for example – something that is a common outcome of hacked or compromised devices. From an IT security point of view, I would go as far as to say that a modern disaster recovery set-up should always consider a SaaS approach as the best option, managing licenses centrally – deactivating and reallocating licenses as needed and backing up profiles and data in the cloud rather than on a local machine that could be damaged or stolen.

Embracing mobile IT increases the ability to react to threatsSaaS ITSM also gives users the ability to access their service applications securely via mobile devices such as smartphones and tablets. This not only gives greater working flexibility, but also enables users of the system to react more quickly to potential threats or incidents from any location, rather than relying on an often-complex connection to an on-premises system. The key thing to remember is that your IT practitioners need to be able to utilise modern technology and modern devices to react and cope with modern threats. ITSM can help you to not only mange these threats better, but it can also give you a greater understanding of the issues and incidents that are creating possible threats that can be resolved to increase data security. Removing more-complex infrastructure and allowing your data to reside in the cloud will unburden your organisation and give you more budget to invest in other toolsets that will truly protect you from future threats.

It is more important than ever to look at the ITSM solution you are using and to re-evaluate the way in which it is administered and deployed. There are myriad ITSM solutions that are rethinking the way in which service management is delivered, many of which will likely save you money rather than incur a frightening replacement cost. And this is the real beauty of switching to SaaS – it gives you an increased level of IT security and may not be as costly as you think!

Cloud vs on-premises vs hybrid On premisesGenerally speaking, on-premises solutions are physically located at an organisation’s own office site or in a hosting location of their choice. The application in use and all the data associated with it is stored on a server or a private cloud in this location. This enables the organisation choosing to deploy in this way to fully control its own security and access to the data and application. This also means, however, that the company is responsible for maintaining the hardware the application is being delivered from and maintaining security and access to that server location.

Cloud SaaSCloud Software as a Service solutions are hosted and delivered via an off-site cloud system, typically accessed via a desktop or mobile browser. All data and configuration is held in the cloud and does not reside on the client site. Updates to the application, along with all security and availability, are usually the responsibility of the vendor who is delivering the service with no upkeep of physical servers to be considered. Cloud solutions are usually also subscription-based and involve a monthly or annual fee for use.

Hybrid cloudA hybrid cloud solution is one where an organisation uses a mix of on-premises private cloud and public cloud services. It can offer flexibility as it allows workloads to shift between the two when capacity and costs change. Sensitive workloads and data can be hosted in the private cloud, with less critical workloads hosted in a public cloud. If a company has regulatory requirements for data handling and storage, then this can be provided in the private cloud. Or perhaps an organisation could host its e-commerce site within a private cloud and their corporate site within the public cloud. Public cloud services such as Microsoft Azure or Amazon Web Services provide scalability, giving an organisation the ability to only pay for the resources it consumes. The important thing is to have the technology in place to allow the two clouds to connect and interact.

Which deployment option is most secure? There really is no simple response to this question, as it greatly depends on the security of the application you are using and how access to the app is maintained and secured – no matter which option you choose. It could be argued that on-premises solutions are the least secure, as they are entirely reliant on the security of your own infrastructure and your IT team’s ability to keep everything patched and up to date. Maintaining the application, and the operating system of the server it resides on, becomes the sole responsibility of your organisation. You also need to consider your network security and how users will access the server application.

While cloud SaaS offers a cost-effective solution to many of the on-premises software issues, it is vital to remember that not all cloud SaaS is equal. Check how the vendor application is delivered and that it supports a high level of security such as TLS encryption. It is also important to learn about how the cloud service will be delivered and by which service provider. This will affect both the security and the speed of your chosen service.

Hybrid cloud can be seen as the best of both worlds, offering both robust security and scalability. It is, however, a more complex and therefore expensive alternative to cloud SaaS. It is also, due in most part to the ability to provide cloud bursting, a solution that will appeal to a smaller group of organisations that could truly benefit from such technology.

How safe is your data in the cloud?Who owns the data?The premise of switching to an ITSM SaaS solution is that you take your customer data and store it in a non-physical location that you don’t own. This does not mean that you relinquish control and ownership of that data, though. Vendors have no desire to take ownership of your data and will most likely distance themselves from this in their service level agreements (SLAs) and contract agreements with customers. Most providers will also restrict their own company’s access to your data, unless you activate the ability for a support administrator to make changes on your behalf. This can be turned on and off at your discretion. It must be remembered that the vendors have a vested interest in protecting your data, its integrity and ownership at all costs. Trust and ownership are, after all, key to growing the vendor’s own customer base.

Data encryptionAnother area of concern for any cloud application and its security is the way in which data travels between the user browser and the application itself. Most users will be aware of SSL (Secure Sockets Layer) and the encryption it offers to online shoppers in particular, but for secure transfer of application data this has been replaced by TLS (Transport Layer Security). TLS has a greater encryption level (256-bit), which is the same level of security employed by banks. The TLS process secures the communication and transfer of data between browser and app, creating a symmetric encryption that is unique to each and every connection. Advanced ITSM cloud solutions that employ this encryption method will also use the protocol to secure email transactions between the application, end-users, managers and support specialists.

How safe is your data in the cloud?Vendors and their role in maintaining application securityCloud ITSM vendors will employ many security and access protocols to maintain the service that they supply to you. Access and usage of the system is frequently monitored and threats or attempts to gain access or to action unauthorised operations are dealt with immediately. Because of the threat to data integrity, and of course the vendor’s bottom line, it is common for the vendor to continually test its own code and cloud environment security so that it can patch any vulnerabilities before they occur. This is also true when considering application updates and releases – where it is not only the security that needs to be tested, but also the impact that it will have on user data access and process.

ConclusionThe modern security threats we now face will force organisations to scrutinise their IT network, infrastructure and software assets. ITSM already offers much of the data and analytics that will help with such scrutiny, but the way in which this application and others across the business are delivered can also increase security and reduce the burden on IT. As has been outlined in this paper, the cost savings in assets and their maintenance creates a compelling argument for a move to the cloud. But reducing costs and increasing security is only the beginning. Organisations still need to look at how they can improve network and asset security to face down the hacking threat. Savings in ITSM deployment are a serious route to consider as it this will free up vital IT budget for other security solutions that are more far-reaching and targeted than ITSM alone.

About RevoYour success with ITSM, SIAM and service delivery is our focus.Revo provides a unique level of expertise that ensures you partner with the right people and skillsets for your investment. We believe in a long-term partnership, providing quality service and the right advice.

Revo offers:

superior servicefirst-class supporthelpful advice

4meAn enterprise service management (ESM)

solution for seamless collaboration between

internal, external and outsourced teams.

CloudpipesMakes it possible to rapidly implement business

workflows that would be either time-consuming

or impossible to implement in other systems.

OneLoginEnables you to securely connect every

user, app, device and directory through

Unified Identity Management.

We offer the following ITSM user/identity management and integration solutions:

Tel: +44 (0)1564 330680 Email: info@revo4me.com Revo 4me Services Ltd., Forward House, 17 High Street, Henley-in-Arden, Warwickshire, B95 5AA

CONTRIBUTOR

ServiceMuse.com

revo4me.com