Security versus agility: how do we achieve the best of both worlds?


By Lindsay Morgan, ANZ Director, Government Security at SAP

If 2020 taught us anything, it’s that the weakest link often defines the strength of a chain. Major crises and national challenges have reinforced the importance of collective success – when even one element struggles, so does the larger group.

It’s an especially important principle in cyber security, where the tiniest vulnerability can open entire ecosystems to potential harm.

It’s also relevant to the government’s attempts to strengthen its cyber security and critical infrastructure posture while supporting industry to do likewise. A major component of the government’s 2020 cyber security strategy, the draft legislation on Protecting Critical Infrastructure and Systems of National Significance would expand the label of “critical infrastructure” and create new security obligations and mandatory reporting for various public and private organisations.

These organisations could face steep penalties if they don’t answer the call to become deeper partners with Australia’s government in all aspects of security, particularly cyber.

The government is clearly taking a more holistic approach to cyber security – and so are enterprises. But this gets tricky once you factor in cloud solutions (Public and Private), whose agility and scalability are increasingly necessary for organisations to capitalise on the value of rich data, streamline distributed operations, realise cost efficiencies and make better use of contemporary and emerging tech.

However, platforms like SAP HANA have evolved over a decade to help reconcile some of these tensions. Let’s take a look at how.

Can cloud solutions complicate security?

Regardless of architecture, security teams have to think carefully about who has access to data and how they’re accessing it.

Most recently, with on-premise architecture, it was a little more like a traditional building with an entrance and an exit. It’s a lot simpler to control security when you’re managing limited entry points. While many or even most cloud providers have robust security measures in place, cloud solutions do come with more entry points.

However, the security of those entry points differs based on public versus private cloud, as well as a wide variety of factors. For instance, within public cloud, there’s simply a greater number of side doors that require the same level of security. With private cloud, you control who has a door and what you let in and out.

That doesn’t mean organisations should sacrifice the benefits of all public cloud solutions – in fact, that might do more harm than good. It just means that security considerations need to govern any decision to bring new cloud extensions or providers into your environment. But ensuring scalable, enterprise-wide solutions is where things can get trickier.

Solutions that marry security with flexibility

In many organisations, elements of information are taken out of core systems and put into other data lakes, repositories or spreadsheets. The same piece of information is not only repeated in multiple areas but also with varying degrees of security applied to each of those different locations. If the weakest link determines the strength of the chain, then this approach means there are far more links whose strength is even harder to control or test.

Solutions like SAP HANA, whose 10-year evolution has always been anchored in protecting information and assets, can go a long way to resolving this sort of issue. As an enterprise-scale in-memory database designed to allow end users to have a conversation with their data, HANA caters to large volumes of data and diverse use across a broad user community. The way this can be leveraged for better security is simple: the more information you have in a secure, controlled, unified container, the easier it is to protect that information with centralised security measures.

HANA also enables real-time anonymisation of data displayed in SQL views. This means companies can analyse even the most sensitive and regulated of records – such as those in healthcare – while still protecting data and supporting compliance with privacy standards like the European Union’s General Data Protection Regulation (GDPR).

Solutions like Data Warehouse Cloud are the next evolution in further resolving tensions between innovation and security. It allows organisations to extend secure data environments to secure cloud solutions, combining features of HANA with the rigorous security frameworks provided by a range of hyper-scalers. So, even in complex multi-cloud systems, you can achieve a consistent enterprise-wide data management framework and connectivity to other systems, whether that be public, private, on-premise systems or ubiquitous data sources like IoT devices.

Changing how we think about cyber security

Various types of platforms and architectures can help achieve robust, enterprise-wide security frameworks without sacrificing the benefits of cloud. But strengthening your security posture will also depend on shifting mindsets and educating stakeholders about cyber security and management of risk. There are plenty of business imperatives for this already, but 2021 will see additional regulatory control and incentives as the federal government takes a bigger role in cyber security.

Two big mindset shifts need to happen across all of industry and critical infrastructure sectors. First, when it comes to IT systems and reporting environments, we too often test them based on how we expect them to perform. Particularly from a security perspective, we need an extra level of testing that focuses on what malicious actors want to do and what they’re going to try. It’s important to test systems based on how we want them to be used but also how we don’t want them to be used.

Secondly, we often talk about how to collect data, store data and extend data. Cyber security compels us to ask: what are we going to do with this data? How will people use it? This is particularly crucial now that workers are less tethered to offices or corporate networks. It’s more important than ever to think about the potential usage of data and truly consider its security risk, ensuring that the device and solution set you’re using to present or extract that data is genuinely secure.

The choice between security and innovation is a false one. Still, the topic is undeniably complex and demands ongoing discussion and thought.

So, what are you doing to protect your organisation while still pushing it forward?