We are wrapping up an exciting round of CloudLock User Groups. After days of interactive sessions on security best practices, product updates and roadmap, the uprising of CyberLab research and customer engagement, and hands-on trainings, a few important recurring themes came up:
Securing People, Not Systems, in the Cloud
Let’s start with basic logic. If People = Access, and Access = Power, then Access to People = Access to Power. This holds true for cybercrime, too. It is no surprise virtually all customers at the user group admitted to the incredible increase in phishing attacks targeting their organizations.
Since work is no longer a place you go to in the morning, but rather a set of tasks that can be accomplished anytime, from anywhere, the line between corporate and personal behavior norms blur. Providing guidance of appropriate corporate behavior and reinforcing its enforcement is the a challenge that security teams face. And in that sense, perimeter security is only somewhat relevant, as protecting this constantly moving group of people, access points, and data becomes the priority.
With hackers changing attack mechanisms almost weekly, customers are constantly challenged with reinventing security strategy, applying the appropriate measures, then going back and changing plans again.
User Education Continues to be 51% of the Battle
All said above is true. We must be smarter, faster, more innovative than the next cyber attacker. But we, the security team, even the security systems we use, only scale to a point.
Even the most effective of security programs will crack with a simple mistake by an end user. Having a structured education program that is not only mandatory, but also helpful for employees, is crucial.
“My Data, My Responsibility”
Where does the responsibility for security lie? Cloud providers? Your own organization? The answer was uniform – “my data, my responsibility”. Many referenced AWS’s shared responsibility model, but the same applies for cloud application providers like Microsoft, Google, Dropbox, Salesforce, and more.
While providers are ultimately responsible for securing the infrastructure and are slowly introducing user access controls, organizations are responsible for understanding and securing users, apps, and data usage.
“When you’re in a highly competitive business like ours, anything that will reflect poorly on us is our problem.”
Avoiding the next data breach is crucial whether you’re a private tech company looking to protect the service, a retailer holding valuable IP and/or PCI data, or a government organization. Protecting accounts, particularly of privileged users, becomes critical.
Cloud and Security Enablement (Should) Go Hand-in-Hand
The best security teams have found a way to deliver security as a business enabler, making security relevant to both line of business leaders and their employees. The key is finding an engagement model that works. What can reasonably be asked of our end users while letting them continue to do the work they care about?
“I spent the first 2 months in my role talking to business leaders and asked what security meant to them. File access? Password management? People didn’t really know what they had to do.”
Start by helping users understand the difference between a hacker kicking the corporate network door down (or stealthily picking the lock) and an employee simply handing them the key. Then, armed with intelligence on how employees use the cloud, develop a process that bridges the gap between business and security, finding a way to say yes to cloud usage.
The Hidden Security Threat: Cloud-Native Malware
Third-party app installation more than doubled in the past year, with over 200K currently connected to corporate environments. These apps come in all shapes, sizes, and security trust-worthiness.
Some come from established vendors, are well funded, and well secured against hacks in themselves. Some are broadly productive, yet questionably secure. Some require excessive access permissions (justifyingly or not). Some are specialized and used by so few users, it is hard to tell what they are. Some do not belong in a corporate setting (dating, gaming, inappropriate content apps, anyone?). And some are developed by malicious parties to serve as an infiltration mechanism into an organization.
Customers all agree that awareness of all apps’ existence, understanding each of their risk, and the ability to block/remove them seamlessly is a must. And they all take different approaches in doing so. The most stringent of organizations block by default, with a justification process in place for whitelisting. The most sophisticated of customers build out processes that automate much of the decision, leaving the legacy system of manual approvals behind.
Cloud Security Extends to AWS
When people think CASB, they now think beyond SaaS. Securing the apps that live and breath on IaaS & PaaS is no longer a second thought.
Customers are looking for visibility, control, and automated security actions for these apps.
- Visibility into the exposure level of each app, pointing out true risk from the noise.
- Control by triaging risk intelligently, while targeting controls with granularity.
- Risk-appropriate action that helps the business scale.
And with that it ends. Thank you to all our customers for an eventful and memorable year – we look forward to next year’s conference.
Want To See What All The Hype Is About?
Experience the CloudLock Security Fabric first-hand in a demo. Find out how you can secure your users, apps, and data across the entire cloud ecosystem, including SaaS, IaaS, PaaS and IDaaS environments.