Category: IT Security

Next-generation Security Operations Centers | Blog

The rapid pace of digitalization has increased enterprise exposure to a diverse and evolved range of cyberattacks. However, many enterprises make security an afterthought rather than a part of their digital transformation journey. While they’ve always had a daunting task to make their business resilient, the COVID-19 pandemic has only added to their woes. A global shift toward remote working and the sudden expansion of the enterprise perimeter has contributed immensely toward enterprise challenges.

Here’s a quick snapshot of some high-level security-related challenges that enterprises will continue to face in 2021:

01

To overcome these challenges, which are associated with speed and scalability of security services delivery, enterprises rely on security operations centers (SOCs) to monitor systems and defend against breaches. As the frequency and severity of breaches continue to rise, traditional SOCs and Security Information and Event Management (SIEM) systems based on signatures and rule-based automation are quickly becoming obsolete, as they make it immensely difficult for security analysts to stay on top of internal and external threat-related data.

Consequently, SOCs need to transition to an “Aware” state that is underpinned by cognitive capabilities that help detect, prevent, and resolve incidents at scale to keep pace with evolving adversaries.

What is Aware SOC?

Simply put, an Aware SOC is underpinned by next-generation SIEM and cognitive technologies – AI and ML along with decision automation – to deliver intelligent security operations. The Aware SOC is built on a single platform that seamlessly integrates solutions from multiple vendors to augment existing capabilities. Designed to secure distributed enterprise architecture, an Aware SOC brings together the best of human + machine capabilities to help enterprises fight against the rising tide of sophisticated cyberattacks.

The table below shows how enterprises should think about an Aware SOC as an amalgamation of best-of-breed technology and talent:

02

Security operations done right: Moving to a platform-driven Aware SOC

The pandemic has been a major change agent for enterprises, significantly impacting their security operations. To incorporate speed and scalability in their security operations, enterprises are now re-thinking their SOC architecture. The platform that an enterprise chooses for its security operations has started to become a pivotal element of its overall security infrastructure, becoming the de facto operating system for other point-based security tools. The shift to a platformized cloud-first approach, underpinned by SaaS-based tools for monitoring, threat hunting, vulnerability assessment, and incident resolution is expected to be the springboard of security transformation for medium and large enterprises.

Here’s our view of an architecture for a platform-driven Aware SOC:

03

Enterprises can find significant value through platform-driven Aware SOC, where it can break systems down into building blocks and bring in modularity that allows them to scale and manage security controls across environments. The elements of platform, spanning data lake and network traffic analysis, also give enterprises enriched insights related to their existing and to-be security estates.

Advantages of investing in a platform-driven Aware SOC

Investing in an Aware SOC is a highly strategic decision. Beyond economic benefits, a platform-driven Aware SOC produces a number of other benefits, including speed, scalability, resiliency, and efficiency. The benefits discussed below are not an all-encompassing list but instead a starting point for exploring the benefits of investing in platform-driven Aware SOC:

  1. Automated security across the enterprise IT estate – ingest alerts across multiple environments and execute automated workflows/playbooks to speed up incident response
  2. Break team silos – playbooks for real-time collaboration capabilities that enable security teams to solve for existing and new threats and breaches
  3. Expedite incident investigations – enables standardized response for high-quantity attacks such as DDoS attacks. Also helps security analysts adapt to sophisticated one-off attacks.

Whether an enterprise is thinking of outsourcing security operations or bolstering them internally, it needs to future-proof its overall cybersecurity strategy. While charting the broader cybersecurity strategy, an enterprise needs to keep a firm sight on its short-, mid-, and long-term business goals. This is where a platform-driven Aware SOC can help. A platformized approach to Aware SOC that stitches the entire security fabric together will go a long way in ensuring that the enterprise’s cybersecurity strategy aligns with business goals such as speed, scalability, and resilience.

Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] and [email protected] to share your experiences and ask any questions you may have.

Self-aware Data – Securing Data across its Life Cycle | Blog

Increasingly costly data breaches in recent years have shown the importance of data protection and privacy in the age of the data economy. While organizations have accelerated their pace in adapting to the increased levels of security and data sharing, much still needs to be done. IBM’s 2019 Cost of Data Breach Report showed that the global average cost to an organization of a data breach was US$3.92 million, a 12% increase over five years. The latest attack on the European Medicines Agency (EMA) – in which hackers successfully penetrated and stole important information regarding the COVID-19 vaccine – is just one of the many examples of ever-increasing cyberthreats.

Where are the gaps?

Indeed, the key ways in which organizations still fail to secure data – even after so many advances in cybersecurity – have been highlighted by the rising number of data breaches during the COVID-19 pandemic, including such examples as:

  • Organizations secure the transport layer in which data is transferred rather than securing data itself
  • The controls and policies lie within an organization’s IT estate rather than with the data owner
  • There is a lack of centralized visibility into data movement and assets across the organization
  • It takes too much time and effort to implement policy changes across the organization
  • Employee awareness of, and preparedness for, security is generally the weakest link in cyber defense; a majority of breaches can be traced back to human negligence

Moving toward self-aware data

This situation is precisely where self-aware data can help. Self-aware data refers to data that is intelligent and can protect itself from intrusions. Each piece of self-aware data can defend itself at any place, continuously, during its lifespan and does not rely on securing the communication tunnel, which is the common security method. The approach is based on democratizing data security, which includes a process by which the data owner sets up policies related to accessing their data. It treats the root cause of data loss rather than the symptoms.

Let’s take a closer look at how organizations can implement self-protecting, self-aware data:

  • Focus on data rather than the communication channel – The core focus should be on securing data. A wrapped layer of security protocols across data enables the user to freely send the data across media without the worry of data loss. The data owner sets these protocols, and only users who meet these protocols can access the data.
  • The owner controls the data asset throughout its life cycle – Once the owner creates the data and establishes access-related policies, that owner should have complete control of the data until it is deleted. Even if copies are made on any devices or stored across locations, the owner should be able to control the files with the same policies.
  • Seamless data movement and interoperability across platforms – Self-aware data needs to be operable across platforms, devices, applications, operating systems, cloud services, and data centers. It must be universally deployable and interoperable to provide real-world protection across today’s diverse environments.
  • Built-in log analysis – Organizations need to implement built-in log analysis across the data life cycle, from creation to storage, until destruction. Self-aware data should be able to provide proof of possession, custody, and control. It needs to provide this information back to its owner for every copy or instance from anywhere.
  • Ability to upgrade policies on the fly – To adapt to the dynamic cybersecurity regulations, owners should have the feature set to apply any new policy regulation across all files at any time.

Future-proofing data

In a rapidly changing digital world, there is also an increasing need to future-proof intelligent data. We thus recommend the following actions to safeguard self-aware data from the next-generation threats of AI-/ML-powered cyberattacks:

  • Implement geo-fencing and geo-location capabilities – Such policies can ensure that the data stays within the organization’s geographical presence, which is especially helpful as we increasingly see a rise in hacker groups from specific geographies.
  • Detect and safeguard related data pieces – Organizations should also ensure that the protection rules or protocols are able to replicate themselves wherever that data or any part of it flows. For example, if the protocols allow certain users to access an Excel sheet containing a sales data table, these protocols should be replicated automatically if any row of that sales table is used in any other document or Excel file to ensure end-to-end data safety.
  • Foolproof data against any augmented intelligence approach – Data masking and Generative Adversarial Network (GAN)-based techniques to generate synthetic data have been a boon for training AI/ML models. Self-aware data, if masked or even synthesized to generate new synthetic data, should be able to recognize the base parent file and initiate the same set of protocols on the new files created.

When combined with a zero-trust architecture, self-aware data can act as an invulnerable armor for the valuable data assets that organizations possess. To capitalize on the opportunity, some startups have already started work on tools and solutions to enable self-aware data in the hopes of making data breaches irrelevant.

If you have any questions regarding how self-aware data can help secure your existing data landscape or would like to share your inputs on the broader cybersecurity landscape, please write to us at [email protected] and [email protected].

Digital Trust – the Key to Secure Customer Engagement and Stickiness | Blog

In an age of pervasive cyberthreats and attacks, enterprises increasingly realize that ensuring trust and privacy is vital in the customer journey. In fact, CXOs now view cyber risks as business risks that can prevent them from establishing strong customer relationships, and they are proactively trying to find ways to address privacy or security gaps in their customer engagements.

In this context, the goal of digital trust is to instill confidence among enterprise customers, business partners, and employees in an organization’s ability to maintain secure systems, infrastructure, and perimeters, as well as to provide a secure, reliable, and consistent experience. Today, digital trust underpins businesses’ success directly by creating confidence among customers and other stakeholders.

Users at the core of digital trust

Establishing digital trust goes beyond the creation of a secure application or enforcement of stringent regulations to avoid cyberattacks. It is about leveraging the right combination of tools and technologies to create a superior digital experience for users that not only protects their privacy but also exceeds their service expectations.

To create such an unparalleled and smooth user experience through their digital transformation initiatives, enterprises should ensure and embed digital trust seamlessly in their processes and systems. Organizations need to understand that they can achieve 360-degree trust only if they keep the user at the center of digital transformation initiatives and build enterprise security controls around user attributes such as device, data, applications, and user environment.

To make digital trust a reality, enterprises should comply with privacy regulations to have the right data security controls across environments, employ usage-based security controls across the IT estate, provide secure access to user devices, understand user behavior through behavior and entity analytics, and monitor user activity to create secure access across applications, devices, and networks.

Building digital trust the right way

In a 2019 Everest Group survey of 200 CIOs, about 71% said they believe that they lacked centralized visibility across their IT estate, almost 42% said they were unable to measure and quantify end user experience, and 53% were unable to leverage essential technologies to improve end-user experience. About 70% of enterprises still lacked the capabilities of a unified threat detection system to prevent, detect, and manage unknown threats. These figures point to the glaring gaps in enterprises’ IT security infrastructures and understanding of their users’ experiences.

The concept of digital trust ties together business objectives and business resilience goals and ensures that the right user with the right intent is granted the right set of access and permissions for the right purpose. To build digital trust among users, organizations need to consider specific action items for different cybersecurity segments to create 360-degree digital trust, as outlined in the exhibit below.

Digital Trust – the Key to Secure Customer Engagement and Stickiness

Instead of implementing discrete security controls across the organization, enterprises need to take a holistic, outcome-oriented approach to cybersecurity. When organizations approach cybersecurity with the objective of creating a seamless user experience, it facilitates a sense of mutual and complete trust.

Digital trust in the age of COVID-19

The COVID-19 pandemic has led to a massive shift from offline to online channels. Such digital business extensions have created unprecedented security concerns worldwide. Users are concerned about the security of their private data and how organizations handle it. To build trust, enterprises must focus on building an empathetic and secure organization. If they can get this right, they will be able to win customer loyalty and trust, thereby laying the foundation of a future-proof sustainable business. As the world fights the pandemic, digital trust could well be the glue that binds customers to them.

To learn more about the need to think of IT security as the key enabler of digital trust among users and customers, please see our latest report, Digital Trust – The Cornerstone of Creating a Resilient and Truth-based Digital Enterprise. You could also reach out to us directly at [email protected] or [email protected] to explore this concept further.

Anti-financial Crime Talent Imperatives in the Digital Age | Blog

For years, financial institutions have struggled to attract and retain quality anti-financial crime (AFC) talent, which remains a compliance program’s most vital asset. And the situation is only getting worse.  Why? First, both the importance and application of anti-money laundering (AML) and fraud risk management are increasing. Second, the requirements and expectations of regulators are snowballing. And third, demand for AFC talent is skyrocketing while unemployment remains low. It’s a perfect storm.

Perhaps most importantly, the AFC workforce must now be able to work with artificial intelligence and machine learning technologies. Financial institutions that can’t adapt their workforce to the demands of this new augmented human intelligence era simply won’t survive. Knowing what talent to look for – and how to attract, manage, and retain it – is key.

The changing definition of talent and the rise of “bilinguals”

In the past, whenever new compliance initiatives or regulations arose, banks tended to staff up operational teams to address them. Now banks realize that hiring operational staff isn’t enough. Instead, solving for the underlying problem – be it “Know Your Customer” remediation, reducing incidences of fraud, or ensuring better AML compliance – is the answer.

To do this, banks are breaking up their talent pyramid into tasks. Those tasks that are manual and repetitive (and therefore subject to a high degree of automation) sit at the bottom of the talent pyramid. And those requiring a high degree of judgment that can be handled only by skilled employees sit at the top. As a result, talent must now be “bilingual,” possessing not only the domain and operational expertise to drive judgments but also the technology expertise to help automate repetitive, mundane tasks.

Attracting talent

If a bank has bilingual workers, it’s not letting them go, so finding such talent at scale through hiring practices alone is unlikely. Instead, the challenge is to identify skilled workers from either a domain or technology background and train them to develop the skills they lack.

One solution is partnering with universities. For example, recognizing that ready talent is not necessarily available in the marketplace, some service providers partner with universities to identify suitable individuals for entry-level positions and then train staff in those positions on AFC fundamentals.

Developing talent

At the same time, the half-life of professional skills is decreasing at an alarming pace. Regulations and technology are constantly changing, so talent agility is key. Organizations must create an environment of innovation, training, and enabling people to do their jobs faster and better, including enabling them with access to the right tools, be they bots or data libraries.

Firms are increasingly using techniques such as micro learning, which breaks information into bite-sized pieces, and spaced learning, which identifies the right moment for intervention so that trainees retain more information. Gamification is another technique that makes learning fun and increases retention.  Through a combination of these approaches, firms can train employees and develop talent much more efficiently.

Retaining talent

Today’s banks are losing employees not only to other banks, but also to techfin firms. Amazon, Apple, Facebook, and Google are all making forays into banking, and they’re always on the lookout for people who can help their engineering teams understand the financial payments and risk disciplines. To retain talent, it’s important to drive workers’ aspirations.

Keeping employees engaged is essential to retention. Engagement can be accomplished through creative challenges and contests that instill sustainable change and help employees use their skills beyond their day-to-day work.

When it comes to AFC talent, it’s a battlefield out there. To learn more about how financial institutions can attract, manage, and motivate AFC talent to achieve the best balance between human and technical intelligence, check out the webinar I recently conducted with Genpact on this topic.

Key Issues For Enterprise IT Spend Decisions In 2020 | Blog

When considering your company’s IT spend decisions for 2020, it’s helpful to know what your peers and competitors expect for IT spend this year. What are their top investment priorities? Their biggest challenges? Is their focus different for 2020 than it was in 2019? How will their plans change if the economy strengthens or if it weakens?

Read my blog on Forbes

Is Latin America the Emerging Region for Technology Services Delivery? | Blog

For years, India has been the epicenter of offshore technology services delivery for U.S.-headquartered enterprises. But our Market Vista Annual Report 2019 and Predictions for Global Services Delivery Locations 2019 reports show that a host of factors are driving a much closer look at Latin American countries as a destination for the delivery of IT services.

So, what’s making Latin America click with companies of all sizes, including some of the world’s biggest brands, like Amazon, Facebook, Google, HP, Intel, and Microsoft?

Proximity with the U.S.

The time zone differences between India and the U.S. are impeding demand for agile development. But because Latin America and the U.S. share similar time zones, the delivery and client teams can collaborate in real time.

Availability of skilled IT professionals

Due to strong government and educational support, Latin American countries are producing an ever-growing number of talented professionals with relevant, and often advanced technology skill sets, like blockchain, artificial intelligence, and machine learning.

Rise in technology start-ups

The abundance of low-cost technical talent is driving a surge in Latin American country-based technology start-ups through accelerator programs such as 500 Startups, Techstars, and Y Combinator. Investors are also betting high on tapping the potential of technology start-ups in the region. For example, SoftBank Group in March 2019 announced a US$5 billion Innovation Fund, touted to be the largest-ever technology fund in Latin America.

Less competitive intensity

Although India is far more cost competitive than Latin American countries, competition in India is increasingly intense given that it is home to more than 1,100 shared services centers and thousands of service provider delivery centers. Because there are fewer service delivery centers in Latin America, competition for talent is comparatively lower, making it easier for companies to hire the best talent.

Language proficiency

Most Latin American countries have significantly improved in English language proficiency over the years. And their Spanish language skills are valuable to the U.S. market given the large Spanish population residing in the country.

Most leveraged countries for technology services in Latin America

What are the top five Latin American countries doing to advance their attractiveness to technology services clients?

Mexico — #1

  • Passed new regulation for its FinTech sector, which is the largest FinTech ecosystem in Latin America
  • Established INADEM to support establishment of start-ups
  • Launched 500 Startups Latin America, Startup Mexico, and Startup Weekend Mexico to develop tech start-ups
  • Launched the world’s largest free economic zone along the US-Mexico border to attract tech investments.

Argentina — #2

  • Passed the Entrepreneur’s Law, which accelerates businesses’ registrations
  • Launched programs such as Startup Buenos Aires and IncuBAte to support entrepreneurship
  • Provides free university education to everyone.

Brazil — #3

  • Established Start-Up Brasil, a federal program to support start-ups
  • Launched TechD, a public-private partnership, to fund emerging technology companies
  • Initiated a national plan on digital transformation, IoT, and information, communications, and cyber security strategy
  • Launched STEAM courses to develop a large pool of engineers and technical talent
  • Passed a law to hire temporary workers on a longer contract term.

Colombia — #4

  • Rebranded Colombia as a technology center, and offers tax incentives and a professional training program
  • Established a Ministry of Science, Technology, and Innovation, and a High Council for Innovation and Digital Transformation to support tech initiatives.

Chile — #5

  • Launched a centralized web system that allows one-day business registrations
  • Established Start-Up Chile to support development of start-ups and boost the local tech ecosystem
  • Launched a tech visa facility to help technology talent and investors acquire a visa in 15 days
  • Introduced a blockchain-based platform for public payments.

With their strong trade links, nearshore advantage, and growing technology talent pools, several of the Latin American countries offer a multi-pronged value proposition to enterprises seeking an IT services delivery destination.

To learn more about the region, please read our Market Vista Annual Report 2019 and Predictions for Global Services Delivery Locations 2019 reports.

Protect Yourself from Cyber-breaches: Digital Forensics and Incident Response | Blog

According to the Identity Theft Resource Center, a staggering 1,200+ breaches were reported in 2018. A breach can wreak havoc on a business, including – but not limited to – loss of revenue and reputational harm. And poor incident response can compound that damage, as demonstrated by breaches at Deloitte, Equifax, Uber, and Yahoo.

Some enterprises are recognizing the importance of being prepared and able to respond to attacks: 22 percent of respondents to a 2018 Everest Group survey rated “reduction in time/effort to detect, respond, and recover from breaches” as their top strategic priority in next 12-24 months.

But given the dangers, 100 percent of enterprises need to think through and create an effective risk mitigation strategy. This is where Digital Forensics and Incident Response (DFIR) can be essential. Combining incident response with deep forensic analysis to collect and examine digital evidence on electronic devices, an effective DFIR strategy can help mitigate business risks in the early stages of an attack.

Twin Forces Driving DFIR adoption

Starting on the DFIR journey: an enterprise perspective

The first step in the journey is establishing forensic analysis and incident response teams responsible for reporting, incident handling, and monitoring when a breach is detected.

The incident response team should have specific training in areas such as file systems and operating system design, and have knowledge of possible network and host attack vectors.

After a breach is detected, the forensic analysts must work closely with the incident response team to address several issues, such as isolating affected systems and making containment decisions, based on existing device, access, and data security policies. Enterprises must also update their policies regularly to stay ahead of attackers.

Putting DFIR into action

An effective incident response plan should include the following components:

Enterprise action items following breach detection

A guided approach to creating a DFIR strategy

Enterprises without a cyber-attack incident response plan leave themselves open to potentially insurmountable losses. Despite the danger, they often face significant challenges in creating a plan. These challenges include:

  • Limited budget for plan development and forensic analysis
  • Lack of built-in approval systems to kick off incident response
  • Lack of support for cyber insurance policies
  • Lack of adequate skill sets to perform forensic analysis.

Our guided approach to developing a DFIR strategy can help enterprises evaluate and onboard digital forensics as part of their overall cybersecurity strategy.

DFIR strategy for enterprises

Specialist DFIR offerings can help

As many enterprises aren’t equipped to improve their security posture and reduce incident response times on their own, specialist DFIR vendors – such as CrowdStrike, Cylance, and Mandiant – can assist with suites of holistic offerings. In contrast with managed security services (MSS) players, specialist DFIR vendors lead with localization as their core value proposition. Their product-centric service offerings, localization, and a guided approach help enterprises build resilient business are valuable resources for enterprises.

In fact, DFIR capabilities are becoming a deal clincher/breaker in large security transformation deals between enterprises and MSS providers. Enterprises need to carefully analyze the value proposition of their current/potential MSS partners serving as their DFIR vendor. The following checklist can help enterprises determine if their MSS providers can provide DFIR services.

Enterprises MSS Partner checklist for DFIR capabilities

Approaching DFIR in the digital world

Today’s business environment has dramatically changed the way enterprises need to address DFIR. Adoption of digital technologies such as cloud, IoT, mobility, software defined everything (SDX), etc., has made traditional forensics techniques obsolete. And issues such as evidence acquisition, validation, and cataloging are just the tip of the iceberg.

The following new approach can help enterprises effectively protect themselves against cyber attacks in the digital world.

The new approach to DFIR

Given what’s at stake, enterprises must understand that remaining in the dark about potential breaches can prove significantly more devastating than the time and resources required to build or onboard competent digital forensics capabilities. DFIR can be a challenge, but it’s worth it.

Please reach out to us at [email protected] and [email protected] if you are interested in exploring DFIR in further detail.

Enterprises Must Bake “Contextualization” into Their IT Security Strategies | Sherpas in Blue Shirts

Given the rapid uptake of digital technologies, proliferation in digital touchpoints, and consumerization of IT, traditional enterprise security strategies have become obsolete. And challenges such as security technology proliferation, limited user/customer awareness, and lack of skills/talent are making the enterprise security journey increasingly complex.

Against that backdrop, the key thrust of our just released IT Security Services – Market Trends and Services PEAK Matrix™ Assessment 2019 is that the conventional, cookie cutter best practices prescribed by service providers no longer cut it. Indeed, we subtitled this new assessment “Enterprise Security Journeys and Snowflakes – Both Unique and Like No Other!” because the complexities of today’s technological and business landscape are forcing enterprises to use a much more guided and contextualized approach toward securing their IT estates.

What does this mean? To achieve success, enterprise IT security strategies must focus on three discrete, yet intertwined, levers.

Enterprise-specific Business Dynamics

In order to prioritize their investments in next-generation IT security, every enterprise needs to understand which assets it considers its crown jewels, how the business – and its security investments – will scale, and how to best mitigate risk within budgetary constraints. For example, a traditional BFS enterprise has far different endpoint security needs than does a digital-born bank.

Enterprises must also determine how delivery of superior customer and user experiences and exceptional security can co-exist. For example, a BFS enterprise’s introduction of an innovative new payments service backed by multi-factor authentication must operate without degrading the customer experience with delays.

Vertical Considerations

Enterprises need to take an industry-specific, value chain-led view of IT security that ensures optimal budget control without compromising the overall security posture.

For example, BFS firms must invest in security measures that protect their transaction processing and control/compliance capabilities. And building security controls for user access management, introducing behavioral biometrics into an integrated authentication process, and developing identity controls for anti-money laundering compliance are essential safeguards for sustainable competitive advantage.

Regional Considerations

Stringent regulatory environments (such as GDPR for customer data protection in Europe, PCI DSS for payments in the U.S., HL7 for international standards for transfer of clinical and administrative data between applications) and geography-specific nuances require a circumstantial approach to IT security. This means that geography-specific compliance around data protection, protectionist measures undertaken by the government, enterprises’ digital demand characteristics, and enterprises’ priorities in specific regions need to be taken into account. And global organizations must adhere to a well-defined strategic roadmap to address multiple variants of IT security standards across the globe.

For service providers, this essentially implies delivery of localized services in their focus geographies.

Taking a Phased Approach

While bolting-on IT security capabilities may lead to unnecessary – and valueless – sprawl, enterprises can avoid this challenge by investing in their IT security strategies in a phased manner, as outlined in the figure below.

IT Security Blog

To learn more about IT security contextualization, please see our latest report delves deeply into the important whys and hows of contextualizing IT security, and also provides assessments and detailed profiles of the 21 IT service providers featured in Everest Group’s IT Security Services PEAK Matrix™.

Feel free to reach out us to explore this further. We will be happy to hear your story, questions, concerns, and successes!

Enterprises Should Jump – Carefully – on the Cloud Native Bandwagon | Sherpas in Blue Shirts

With enterprise cloud becoming mainstream, the business case and drivers for adoption have also evolved. The initial phase of adoption focused on operational cost reduction and simplicity – what we call the “Cloud for Efficiency” paradigm. We have now entered Wave 2 of enterprise cloud adoption, where the cloud’s potential to play a critical role in influencing and driving business outcomes is being realized. We call this the “Cloud for Digital” paradigm. Indeed, cloud is now truly the bedrock for digital businesses, as we wrote about earlier.

Cloud blog image 1

This is good and powerful news for enterprises. However, to successfully leverage cloud as a business value enabler, the services stack needs to be designed to take advantage of all the inherent benefits “native” to the cloud model – scalability, agility, resilience, and extendibility.

Cloud Native – What Does it Mean Anyway?

Cloud native is not just selective use of cloud infrastructure and platform-based models to reduce costs. Neither is it just about building and deploying applications at pace. And it is definitely not just about adopting new age themes such as PaaS or microservices or serverless. Cloud native includes all of these, and more.

We see cloud native as a philosophy to establish a tightly integrated, scalable, agile, and resilient IT services stack that can:

  • Enable rapid build, iteration, and delivery of, or access to, service features/functionalities based on business dynamics
  • Autonomously and seamlessly adapt to any or all changes in business operation volumes
  • Offer a superior and consistent service experience, irrespective of the point, mode, or scale of services consumption.

Achieving a true cloud native design requires the underlying philosophy to be embedded within the design of both the application and infrastructure stacks. This is key for business value creation, as lack of autonomy and agility within either layer hinders the necessary straight-through processing across the integrated stack.

In this regard, there are salient features that define an ideal cloud native IT stack:

Cloud native applications – key tenets

  • Extendable architecture: Applications should be designed for minimal complexity around adding/modifying features, through build or API connections. While microservices inherently enable this, not all monolithic applications need to be ruled out from becoming components of a cloud native environment
  • Operational awareness and resilience: The application should be designed to track its own health and operational performance, rather than shifting the entire onus on to the infrastructure teams. Fail-safe measures should be built in the applications to maximize service continuity
  • Declarative by design: Applications should be built to trust the resilience of underlying communications and operations, based on declarative programming. This can help simplify applications by leveraging functionalities across different contexts and driving interoperability among applications.

 Cloud native infrastructure – key tenets

  • Services abstraction: Infrastructure services should be delivered via a unified platform that seamlessly pools discrete cloud resources and makes them available through APIs (enabling the same programs to be used in different contexts, and applications to easily consume infrastructure services)
  • Infrastructure as software: IT infrastructure resources should be built, provisioned/deprovisioned, managed, and pooled/scaled based on individual application requirements. This should be completely executed using software with minimal/no human intervention
  • Embedded security as code: Security for infrastructure should be codified to enable autonomous enforcement of policies across individual deploy and run scenarios. Policy changes should be tracked and managed based on version control principles as leveraged in “Infrastructure as Code” designs.

Exponential Value Comes with Increased Complexity

While cloud native has, understandably, garnered significant enterprise interest, the transition to a cloud native model is far from simple. It requires designing and managing complex architectures, and making meaningful upfront investments in people, processes, and technologies/service delivery themes.

Everest Group’s SMART enterprise framework encapsulates the comprehensive and complex set of requirements to enable a cloud native environment in its true sense.

Smart Cloud blog image

Adopting Cloud Native? Think before You Leap

Cloud native environments are inherently complex to design and take time to scale. Consequently, the concept is not (currently) meant for all organizations, functions, or applications. Enterprises need to carefully gauge their readiness through a thorough examination of multiple organizational and technical considerations.

Cloud Key Questions blog image

Our latest report titled Cloud Enablement Services – Market Trends and Services PEAK Matrix™ Assessment 2019: An Enterprise Primer for Adopting (or Intelligently Ignoring!) Cloud Native delves further into the cloud native concept. The report also provides the assessment and detailed profiles of the 24 IT service providers featured on Everest Group’s Cloud Enablement Services PEAK MatrixTM.

Feel free to reach out us to explore the cloud native concept further. We will be happy to hear your story, questions, concerns, and successes!

The Equifax Data Theft: What if GDPR were in Force? | Sherpas in Blue Shirts

The high entropy data protection space has once again gained headlines after Equifax, the U.S- based consumer credit reporting agency, revealed that a July 2017 theft compromised more than 143 million American, British, and Canadian consumers’ personal data. The data breach incident, one of the worst cyber-attacks in history, was conducted by hackers who exploited a vulnerability in the company’s U.S. website and stole information such as social security numbers, birth dates, addresses, and driver’s license numbers. (Equifax maintains and develops its database by purchasing data records from banks, credit unions, credit card companies, retailers, mortgage lenders, and public record providers.)

Much about the situation would have been considerably different had this breach happened after May 2018, at which time the General Data Protection Regulation (GDPR) – a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) – goes into effect. Even though it is not headquartered in the EU region, Equifax would have come under the purview of GDPR, because it maintains and reports the data of British citizens. And the stringency of requirements and degree of implications would have been significantly higher for the credit rating agency.

GDPR and Equifax

Although not directly related to GDPR, another significant business impact is the sudden “retirement” of Equifax’s CEO less than three weeks after the breach was announced.

This massive cyber-attack is a wake-up call for the services industry. Starting today, operations and businesses must regard data protection regulations with the utmost importance. Non-compliance will not only harm firms financially, but also expose them to brand dilution and business continuity risks.

Some of the key imperatives for enterprises operating in the ever-so-stringent data protection space include:

  • Know and understand the data security laws under which your enterprise falls, especially those such as GDPR that have far reaching impacts
  • Redesign your business processes to incorporate privacy impact assessments to identify high risk processes
  • Implement necessary changes in the contracts with third parties to incorporate the stricter requirements of consent
  • Achieve process transformation to inculcate privacy by design; this includes risk exposure reduction by technological changes such as data minimization
  • Appoint a Data Protection Officer to align the business goals with data protection requirements
  • Make suitable changes in contracting and governance practices to ensure adequate emphasis on data protection

To learn more about the strategic impact of the EU GDPR on the global services industry, please read our recently released viewpoint on GDPR: “EU GDPR: Is There a Silver Lining to the Disruption.”

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.