Today, I’d like to talk about cloud security and what it means for CISOs. You may have read our recent eBook, The CISOs Guide to Cloud Data Protection. I’d like to pick up a couple of those core themes today to talk about what you can do to improve the security posture of your organization.
Why is this an important topic? The cloud is exploding. Forrester Research projects that the annual spending on cloud applications is going to increase from $72 Billion in 2014 to $191 Billion by the end of the decade (source: Forrester Research, The Public Cloud Market is Now In Hypergrowth, April 2014).
This massive change in the landscape has implications for security personnel. Traditionally, you have a little bit of a conflict between the CISO and the CIO. The CIO is trying to align him or herself with the business – trying to move the organization forward and the cloud provides a lot of opportunities for productivity gains. The CISO, meanwhile, has even more concerns because the cloud is much more open, and can seem harder to lock down. So you can have this little bit of natural tension there.
But, what if you could align the interests of the business with the objectives of IT and security at the same time? That is the challenge CISOs have – being seen as a facilitator and accelerator of the business rather than a blocker.
Why is the cloud security challenge so substantial? In part, due to this phenomenon commonly referred to as “Shadow IT”. This refers to the fact that many organizations don’t even know what apps are being used by their end-users.
On one hand, you have applications sanctioned by your IT department. You might be using Salesforce as your CRM, or, Drive for Work or Office365 for collaboration, or Workday for HR, and on and on.
On the other hand, you might have unsanctioned apps, used for personal purposes, such as social media apps. You also have applications that sit right in the middle – they may be used by employees for productivity gains.
The concern here is that those apps are touching your corporate systems and being authenticated to provide direct access to your corporate systems. If there’s a security issue with the connected app, it impacts your core systems as well. We recommend protecting not only your core sanctioned apps, but these other apps that are touching your corporate systems.
On that note, let’s talk about approaches to securing these cloud applications. Fundamentally, there are two different approaches.
First, let’s consider the man-in-the-middle approach. This approach advocates putting a device – a gateway or a proxy – between your users and the cloud so that any data before it touches the clone is being vetted for potential security concerns.
The major challenge with this approach is that you’re creating a single point of failure in the middle so that if something goes wrong with the gateway or proxy, it impacts your users and can break applications and have major productivity implications. Additionally, the notion that you can protect your corporate network by funneling all your traffic through this device is a little old fashioned. Your users are going to be mobile – traveling, on the road, working from coffee shops, Additionally, this approach misses the growing volume of cloud-to-cloud traffic that never traverses your network.
The alternative approach is a cloud-native approach that takes advantage of security APIs provided by your cloud application providers that are leveraged by your cloud security provider.
This approach gives you real time access to much of the critical information around what is happening – what your users are doing, what data is coming in or going out, and more. This allows you to create a more unified and people-centric approach, not impacting your end-users at all – the controls you are looking for without having any of the negative downsides.
Ready for more?
In our CISO’s Guide to Cloud Security eBook, you will:
- Learn the characteristics and priorities of today’s forward-thinking security leaders
- Obtain actionable guidelines to initialize and execute an effective cloud security program
- Be empowered to bring it all to life with a formula to measure the impact of security efforts in every organization