IT transformation provides an opportunity to fortify your security foundations

Trying to change the IT (Information Technology) infrastructure is hard at the best of times, but the coronavirus pandemic has ironically helped IT departments to do just that. In many cases, the pandemic has helped to accelerate IT transformation projects. Organizations are looking to digitally enable their business processes as they are grappling with the enhanced requirements and demands of the ‘new normal’.

In general terms, transformation is a total change from one state of an (IT) environment to a new state which provides the same or a more significant value. Therefore, IT transformation often involves a complete reassessment and overhaul of an organization’s (IT) systems to improve efficiency and delivery in a digital economy. IT transformation forms the foundation of an organization’s larger digital transformation strategy and is often led by business leaders, such as the CIO. It can involve changes to – and modernization of – network architecture, hardware, software, IT service management, and how data is stored, accessed and protected.

 

Expected benefits of a transformed IT environment

Successful IT transformation builds a reliable foundational infrastructure to deliver automated services, cloud computing and new operating models. It also automates and accelerates the deployment of IT services and reduces risk during deployments. IT transformation clears the path to deliver IT-as-a-service (ITaaS) that is more cost-effective, agile and helps foster innovation. By optimizing traditional IT cost models, organizations can free up IT budget from operational expenses and redirect funds to digital transformation projects.

 

IT industry shift to consumption-based models

Recent developments of ITaaS offerings by leading IT providers have led to a shift in consumption-based IT models. Customers only consume the IT services (hardware, software, services, and support) they need, and pay for them accordingly every month. HPE’s GreenLake program is based on these principles and provides customers with pre-configured Cloud environments for several defined workloads. The monthly cost is based on the agreed monthly usage of the GreenLake services. If a customer needs more services than contractually agreed, they can scale up to a higher usage level and pay for the additional usage.

The traditional IT cost model of capital expenditure (CAPEX) and operational expenditure (OPEX) shifts to an OPEX only model, thus freeing up capital resources which can be used more productively in other areas.

 

NonStop fundamentals put HPE NonStop at the heart of mission-critical IT transformation

The last 12 months, in particular, have shown that a flexible/agile IT environment needs to be structured to cope with ever-changing and increasing demands to support mission-critical business processes. The hardware and software need to be highly available, massively scalable and very reliable, to meet these demands. That’s the sweet spot of HPE NonStop systems as they are designed from the ground up for mission-critical environments that demand continuous business availability and full fault tolerance. HPE NonStop eliminates downtime risk while meeting very demanding enterprise-scale business needs, online transaction processing, and database requirements.

High availability is essential in the Financial Industry, Retail, Wholesale, and Manufacturing, where systems need to operate around the clock 24/7/365. Nowadays, downtime, delays, or data losses can easily destroy a business.

For many years, NonStop systems were precisely built for specific data processing purposes, namely mission-critical Online Analytical Processing (OLAP) and Online Transaction Processing (OLTP) on relational database management systems (RDBMS).

The emerging diversification in the datacentre with its purpose-built approach to matching specific data types with the optimal combination of hardware and software technologies is not threatening applications’ mobility. Today’s open-source layers, such as Kubernetes, OpenShift, or Gardener, provide a shared plane regardless of the underlying hardware. This shared plane is also enabling HPE NonStop systems to operate in a hybrid cloud environment.

 

What about cloud security and compliance?

With clouds established over a decade ago, cloud technology usage has accelerated phenomenally in recent years, especially within the FinTech (financial technology) realm. Enterprises want to leverage the many benefits cloud migration promises, including increased flexibility, mobility, insight, data security compliance, and a clear ROI in terms of cost-efficiency. One specific compliance requirement for financial and retail enterprises is imperative: The Payment Card Industry Data Security Standard (PCI DSS). The Payment Card Industry (PCI) formed PCI DSS to ensure any organization that stores, processes, or transmits cardholder data must follow a consistent industry standard. This dictates the need for the security, privacy and visibility of cardholder data (CHD) to be regulated across applications and platforms. However, what role does cloud-native technology have to play when it comes to compliance?

As we know, businesses want the benefits of speed and agility, which provide them with the ability to do more with less effectively. However, these considerations come with additional risks. Many of the data breaches we have seen or heard about occurred as a result of cyberattacks, exposed vulnerabilities and security misconfigurations. In fact, 94% of organizations have experienced what they call “a serious security issue” in the last 12 months within their container environment. Under PCI DSS, many of these incidents could have resulted in a successful data breach or a non-compliance filing.

https://insights.comforte.com/hubfs/shield%20protection%20from%20cloud.jpg

Several financial organizations have already moved many of their digital operations either to the cloud or cloud-native technologies. Yet, there are distinct differences between Cloud and Cloud-Native technologies which must be understood to guarantee the organization recognizes what technology it uses to ensure compliance.

Cloud technology is on-demand infrastructure, storage, databases and all kinds of application services through the Internet. Organizations use this technology to store information, programs and applications instead of relying on a computer local hard drive.

Cloud-native is the architecture for assembling all of the above cloud-based components in a way that is optimized for the cloud environment. Essentially, they are applications and services purposely designed for the cloud and are packaged in containers that are managed by platforms like Kubernetes. These can be deployed swiftly and to scale across different environments.

However, challenges from a risk and compliance perspective can arise when shifting to cloud-native technology. For instance, within highly dynamic Cloud Native environments where applications and services could exist for very short periods of time, it can be challenging to define what might be considered as traditional cardholder data environments. Visibility can also be an issue when using Cloud Native technologies. For example, when you have ephemeral workloads, particularly with containers that hold their own data stores and only exist for short periods of time, data’s actual presence may be transient. This can be tricky, particularly when trying to do things like a forensics investigation for possible data breaches and shortcomings in regulatory compliance. So, how can one secure such data, or monitor its behaviour when there is an evident difficulty in maintaining visibility?

The PCI SSC Council has provided materials and guidelines on Cloud computing. When using dynamic container environments that are being scaled across multiple applications and ecosystems, auditing, defining and securing each system can be extremely difficult.

There is also the assumed responsibility of data privacy and security between both the data owner and the Cloud provider. However, under the PCI shared responsibility model, the data owner must take all responsibility in protecting cardholder data and ensuring it meets the requirements for any data transmitted or stored within their applications and databases.

To meet PCI DSS compliance, organizations must ensure that cardholder data is effectively secured within these containerized environments. Therefore, many decision-makers aim to utilize a data security approach that leverages stateless tokenized architectures which can be seamlessly implemented to meet the PCI DSS requirements. For instance, storing tokens instead of PANs reduces the amount of sensitive data held within these architectures. Furthermore, using container-based tokenization to address PCI DSS requirements around shared responsibility can be extremely beneficial as it can keep up with the agility, changes and demands of cloud-native technology, unlike the more traditional data protection platforms used for such environments.

Cloud-Native ecosystems can scale up on-demand or contract when under threat and offer new possibilities for risk-reduction approaches. Fortunately, tokenization can meet this security demand for the data it is protecting within these environments. New cloud-native ecosystems drastically change the modern retailer’s and payment processor’s approach, but to guarantee PCI DSS compliance and complete risk reduction, it is still absolutely critical to follow a data-centric security approach.

Summary

Looking back to 2020 and the effects of the pandemic, it is evident that the drive to accelerate IT and digital transformation initiatives will continue in 2021 and beyond. The need for robust, mission-critical, highly available, and scalable IT infrastructure increases as organizations continue to move to digital business processes. All this plays into the hands of HPE NonStop systems, which are the platform of choice for organizations that need fault-tolerance, availability, and scalability as the foundation of their enterprises. HPE’s GreenLake program offers ITaaS, including HPE NonStop. Data-centric security is key to protecting the growing volume of transient data and achieving compliance with industry standards and privacy regulations.

Read more about the primary drivers of cybersecurity investment in 2021.

Cybersecurity Investments 2021

Author


  • Thomas Gloerfeld is Director of Partner Development & Marketing NonStop Solutions at comforte and has been associated with the NonStop community for 25 years. Before joining comforte, he held various management positions at ACI Worldwide in Germany and the UK. In his role at comforte he closely monitors topics such as data security, risk and compliance.

Be the first to comment

Leave a Reply