With over 20,600 employees in 50 countries, Symantec is the fourth largest software company in the world, and a leading provider of managed security services through the cloud, including data loss prevention, encryption and authentication. The Mountain View, California based company currently supports customers with cloud-based solutions in three ways: users consume Symantec’s cloud-as-a-service hosted security; they build cloud environments using Symantec products to enable secure delivery of private/public cloud services; and enterprises use Symantec services to minimize risk and ensure compliance when adopting third party cloud services. It also operates a vast network of security research and response centres, development facilities, technical support and customer services centres.
The company is primarily focused on security incident and event management from a Managed Security Services perspective, and on securing business communications through its Email Security.cloud and Email Encryption.cloud. Symantec also offers multi-factor authentication services through its Validation and ID Protection Services, an increasingly critical capability in ensuring security in multi-cloud platform environments. Other Symantec solutions are aimed at customers who build clouds, and include Data Centre Security for protecting cloud servers; Control Compliance Suite to ensure compliant clouds; SSL certificates for secure cloud interactions; and Data Loss Prevention to determine which workloads should be private cloud.
Symantec services customers across a broad spectrum of sectors, including automotive, education, government, financial services, service providers, industrial control systems, healthcare and retail. The Canadian operation, which is based in Toronto, employs 150 people across the country. According to Sangameswaran Manikkayam, principal security architect in Canada, the company has experienced double digit growth in demand for its cloud-based services. “Any enterprise in almost any sector – including financial services, retail and manufacturing – have entered into consuming the cloud-as-a-service option. Now a number are moving into the second or third options.”
Best practices (internal): keeping ahead of the learning curve
Email Security.cloud and Email Encryption.cloud leverage Symantec’s Global Intelligence Network, the largest civilian threat collection network, which tracks over 700,000 global adversaries worldwide, to provide scanning technology to block unwanted email, spear-phising and targeted attacks.
In addition, Symantec works with any technology offerings first before offering the required security as a service to a customer, Manikkayam said. “We eat our own cooking so to speak, which means any services we offer, we use internally before rolling them out to customers.”
All Symantec employees are required go through mandatory training and certification on all the different modules offered to customers. Employee training is closely monitored to ensure deadlines for completion are met; and training modules on security awareness are the same as those for end users.
Metrics: a clear measure of performance
Symantec’s key measure of success is in service level agreements that are clearly defined for different solutions and services offered to customers. For example:
- AntiSpam effectiveness has consistently exceeded its 99% target (99.999979% in November 2015)
- AntiSpam accuracy (target is no more than 0.0003%) achieved a 0.000014% rate in the same month
- AntiVirus accuracy is at 0.000001%
- Email and Web Service availability both achieved 100% from June to November 2015*
Business challenges for customers: understanding the risks associated with cloud hosting of data
The challenge for customers does not lie in understanding the value of cloud services, Manikkayam said. “Everyone understands the benefits with cloud in terms of cost savings, efficiency, rapid deployment, adaptability and scalability. But the most important concern for them is human error if there are inadequate privacy controls. Things can quickly escalate if information is not being copied into a secure location in the cloud.”
The decision to store information in the cloud, however, can be a complex exercise that encompasses understanding the many facets of good information management, including data governance, information security, auditability, accountability, data leakage and compliance requirements. As a result, there is a constant struggle between IT, the individual business units and end users on security process, Manikkayam said. “IT demands efficiency; the business units require flexibility; and end users want convenience. These are dynamic and moving elements that change depending on the sector the business operates in. And all of them want to do more with less which can create major challenges from a security perspective.”
Best practices (external): simplifying the decision making process
Manikkayam noted that there is no hard and fast answer to whether customers should put their data into the cloud that addresses all circumstances. “They [cloud users] will need to make a decision for each type of data, based on the risk associated with it. In some cases, cloud adoption will reduce the level of risk; in others they would be better off keeping data in-house. It’s imperative to do a proper risk assessment to find out where data and apps should reside, based on the business need. You need to take a holistic view of all the moving parts.”
A key requirement, then, is for customers to gain a clear understanding of what should and should not be stored in the cloud from a privacy and security perspective. “When it all comes into play, the key message would be: enterprises should focus policies on information and people; not technology and platforms,” Manikkayam observed. Symantec’s job, on the other hand, “is to simplify the decision,” with solutions that can address the privacy and security risk associated with cloud migration. “Clients should be educated in order to get the most out of their business applications while maintaining security. It’s always a delicate balance,” he concluded.
* All metrics are made available to customers when they log into the customer portal, and are regularly published on the public website.