The security market for Google Apps is changing.
Since early August, we have been witness to a transition in the security space as previously free applications have begun charging for their services. While CloudLock has partnered with, supported, and engaged in enterprise design with paying customers since 2007, there have historically been free alternatives to the enterprise security platform that we’ve provided to Google’s largest customers.
That is no longer the case.
Security, especially at the enterprise level, is not the domain of freeware or lead-gen tools, and as the number of customers and seats under license grows, the capabilities of those types of solutions to support and manage the real threats that sensitive data exposure represents is diminishing. The cloud is no longer a curiosity, and it is a mistake to believe that organizational security can be addressed solely through the platform vendor.
This is not news to anyone who has been dealing with security for more than a few years. With few exceptions, even on-premise environments were built with an understanding that vendors provided frameworks for security — filesystems, APIs that allowed for packet monitoring at the ring-0 level, and so on — while vendors provided solutions that built upon those frameworks. Entire industries exist at each level of the traditional network stack, solely focused on mitigating threats that exist as external forces probe and prod at corporate and organizational perimeters.
With the cloud, the premise is not different: whether it’s Google or Amazon or Salesforce providing the infrastructure, certain elements of security rely upon good practices from the platform provider. Only they can ensure that data is properly encrypted on the wire, for example, or that their physical data centers are secure and monitored around the clock for any DDoS -style attacks.
Other considerations fall to the consumer:
- ensuring that critically sensitive intellectual property or regulated information is not externalized via an employee’s mistake or intentional action,
- enforcing automatic compliance rules that are highly tailored to the specific types of data that matter to the business, or
- monitoring and enforcing policy around which third party applications are allowed to read data from the platform in exchange for some service.
The reality is that this kind of work takes real effort, investment, and expertise. It is unsurprising that the “free alternatives” are stepping away from providing this type of service without charge. We suggest that certain questions should be considered by enterprise security professionals who are looking for a cloud security platform, especially as they evaluate where to spend their budgets:
- Can the provider I’m considering offer a complete security solution, covering not only visibility, but also best-practice-compliance analysis for PII, PCI, and IP?
- How detailed are the analysis tools? Is true algorithmic detection available, on par with what the industry has recommended for the last 15+ years, or just simple pattern matching?
- How does policy enforcement work? Can I build nuanced rules that support enterprise data classification and automated remediation, or do I have to directly manage all incidents?
- Does the platform integrate out-of-the-box with my SIEM platform and process?
- How does the platform provide real security around third party application access to my environment? Can I build policy around scope of access, user vs. administrative exposure, and automate the removal of blacklisted applications?
Finally, as the trend away from freeware continues, consider the source. A vendor who is trusted enough to be paid for their services should do more than offer a trivial API wrapper. Look for a track record of being capable of supporting enterprise security, with a skilled team and a history of security thought leadership.
Consider commitment to the space, especially in terms of the investment in professionally managed security audits and certifications (rather than self-certified attestations that mean little in practical terms). Review their marketing materials: do they rely upon jargon and buzzwords that bely a lack of experience in meeting stringent compliance standards? Is the vendor offering HIPAA compliance without offering a BAA, or claiming that simple RegEx pattern matching is sufficient to meet stringent PCI-DSS standards?
Security is a real problem, and solving it takes more than good intentions and a pricing page. We are excited to see the recognition of this within the market, and welcome the opportunity to help organizations navigate their choices and make prudent decisions about where and how to invest in professional platform solutions.
Join us on Thursday, October 10th for our CloudLock Guide to Selecting an Enterprise Cloud Security Solution Webinar as we discuss how you can secure your organization’s information in the cloud by:
- Building a cloud information security program
- Approaching data classification as part of your cloud DLP strategy
- Securing your organization’s Google Apps data and users
- Governing 3rd party apps that have access to your Google Apps domain
This webinar has already been held.