Good strategy comes from good questions. CIO’s today are faced with many challenges. One of the most vexing is the cloud. Opinions on the cloud vary, but it is here to stay and the character and pace of adoption are raising security issues. These stem from the need to extend security strategies, technology and operations, largely based on an infrastructure directly controlled by the enterprise, into a SaaS environment.
The character has changed in the sense that users provision their own cloud apps, with IT in a new position in the decision picture. They set standards, manage vendors, design architectures, and more, but less and less frequently do they directly install and run technology. Yet they are 100% front and center in the security picture. This is evident in what I call BYOX (that is, BYOD, BYOC, BYOTechnology of the Moment) mentality that was anathema just a few years ago and is almost an article of faith today. The security guys are on the receiving end of the trend.
And the pace is different because the growth curve is driven by a mix of new actors: that is individuals, organizations, and mobile users who have a compelling business need to meet and, with the flexibility and freedom of the cloud, a way to meet them. This is a change from the stately petition- and program-driven adoption of the old days. Try to find the admins of a Salesforce or Box domain in a global enterprise and you’ll see how distributed these responsibilities are.
For the CIO and CISO, whose goal is to enable their business stakeholders, the three questions are obvious. Should we wrap all of these clouds and activities in a unified security model? If we should, what is the best way to do it? And if we figure out a way to do it, when and how should we start?
1) The first question is rhetorical. The CIO and CISO cannot distance themselves from the cloud-friendly BYOX culture. They have an obligation to do something about security and compliance. More importantly, they have an obligation to bring fresh ideas to the fresh cloud model they’re dealing with. This is not so easy, since the cloud is different and old security technology is facing in the other direction. But it is do-able with new technologies.
2) The second question is a tough one. In the past, complex infrastructures led to complex security strategies, not to mention technologies, with many moving parts and countless points and modes of failure. The cloud is pretty simple, with the vendor handling the gears and levers of the data center. Extending that simplicity to security is the true north of cloud security philosophy.
This means a few things. First, accept the cloud and try to protect the data in the cloud, as opposed to from the cloud. The goal is governance of the the data you collaborate with, not isolation of data and users from the infrastructure where they can be productive. Define the use cases that matter in the cloud. Second, leverage your end users. A model aimed at reinforcing individual accountability will be more effective than one that enforces obedience. This is aligned with the people-centric principle enunciated by Gartner. And third, choose an architecture that will scale across the enterprise and align with the goals of governance and individual accountability.
Starting from the architecture side, keeping security simple means keeping it in the cloud. Adding complexity through physical network components, hardware, or installable software defeats the purpose of the cloud in the first place. And breaks its functionality in the second. Find a security vendor who uses the API’s of your cloud vendors. You connect to the security vendor’s cloud, which is essentially a service running in the cloud, with a scalable API that it connects to the API’s of your SaaS providers.
As for defining use cases, start with the DLP concept of discovery > classification > control, but adapt it to the cloud, where the issues are:
- Sprawl: over-exposure of information to internal users
- Loss of crown jewels: exposure of restricted content to outsiders
- Stockpiling: diversion of company digital assets for personal use
- Domain compliance: adherence to regulatory requirements
- Cyber-security and privacy: keep 3rd parties from viewing data in your cloud
3) As for the third question, when to start, a better question might be: is there a legitimate reason to not start right away. From a risk management perspective, the answer is ‘no’. The public cloud is new; it gives users leeway to expose data in new and unmonitored, uncontrolled ways; and the usage and risk are growing as data, users and usage migrate from well-controlled on-premise infrastructures into the cloud.
Sometimes the argument takes a different form: the technologies for addressing these issues aren’t mature. As someone who remembers floppy disks and phone cradles for fax machines (and made a decent income doing creative and productive things with them), I can tell you that the only time technology is mature is when it is being replaced by something completely disruptive. The state of the art in API-based security solutions is excellent and, as a practical matter, affords better security at lower cost than many of the mature technologies they are disruptively replacing. CloudLock, the product my company makes, embodies the principles above and is a good example of how to align security with SaaS.
This is a great time to be in cloud security. The confluence of need, paradigm, practical technology and architecture make for simple security and compelling value-add.
How are you securing your data in your cloud? Learn how CloudLock helps you protect your data in the cloud, not from it, with our people-centric security solution for Salesforce and Google Apps.