Cloud Access Security Brokers & The Future Of Enterprise IT
“There's no doubt that moving business to the cloud changes the nature of your security challenges, but it isn't going to resolve them.”
Ian McAdam, Managing Director,
Pacific Region, Symantec
Your approach to security, whether it applies to business information or physical assets, has always been about your appetite for risk. In some organisations, including governments, banks, healthcare providers and any organisation that deals with emerging markets, this appetite is naturally lower. Financial impact is the primary risk consideration when you focus on data security but there's also the threat to intellectual property, business disruption that hurts productivity and the potential for reputational damage.
Your ability to minimise these risks is constrained by budget and access to skills. These inform every conversation about levels of security investment and where you're going to place your pieces for maximum impact. How much appetite for risk does your business have; how exposed are you and how much money do you have to solve these problems? For many organisations, having access to the right people is often an even bigger problem than the budget restrictions. The pragmatic approach to security considers resources first and then budget. What can you realistically get done, who is going to do it and how long will it take?
There's an opportunity to challenge traditional models as your organisation moves applications and infrastructure out into the cloud, tailoring security services to meet your requirements as they change. There are also many new considerations because it will never be a straight replacement of your current environment. Of course, one fundamental aspect remains the same - however your business chooses to take advantage of cloud-based services, your customers will ultimately hold you responsible for the security of their data.
In the pages that follow we'll identify the biggest security challenges your organisation will face as it embraces cloud services, we'll offer some best practice advice and share some thoughts on where the market's headed. There's no doubt that moving business to the cloud changes the nature of your security challenges but it isn't going to resolve them.
Not only is information leaving your organisation, it is happening on a grander scale as you embrace enterprise wide collaboration suites. Once, it was limited to 7-15 per cent of emails and no files sharing. But as you adopt collaboration suites like Office 365 and Google apps, it means all your email and filesharing is going off-site. What does this mean for your current architecture capacity?
Most organisations use or are adopting cloud applications and services. Office 365 and Google Apps provide a range of business applications. Box and Dropbox focus on collaboration boosting file sharing. Salesforce, ServiceNow and others provide platforms for specific functions. Infrastructure services such as AWS and Azure provide the foundation for even bigger enterprise cloud IT initiatives.
Cloud services are becoming a core part of enterprise IT resources, making CASB a critical security requirement. As attitudes to cloud security mature, many organisations are looking for a new approach. 50% of enterprises with more than 1000 users will deploy products provided by cloud access security brokers (CASBs) by 2018 to monitor their use of software-as-a-service and other forms of public cloud. This reflects the growing recognition that the secure use of public cloud requires explicit effort from the customer.Source: Gartner
Your organisation is responsible for the users, data and activity in the cloud applications, while the Service Provider is responsible for everything else. CASB give your organisation visibility and control of users and workloads operating outside the traditional perimeter.
It's more difficult to secure your business information in the cloud than it was within your company's own technology infrastructure. Your business needs to adopt new techniques and solutions to protect its data in this environment. Here are the main security challenges you need to consider.
Life is different in the cloud because you no longer have control but still wear the same level of risk. This lack of control can be a real issue when a service provider schedules weekly updates. These usually take place at a convenient time for US customers, which pushes them into the Australian business day. Tier-one cloud vendors like Amazon Web Services and Microsoft will generally issue a warning that gives you an opportunity to work around times when their services are restricted or unavailable. Less mature providers won't offer this level of change management notification.
When you move to the cloud, you carry the burden of responsibility and for better or worse, trade some control to reap the benefits.
The ease of accessing cloud services with a corporate credit card can create fragmentation in your organisation. This is often referred to as Shadow IT. These recurring monthly payments are much lower in value than capital expenditure and don't attract the same level of financial rigour. Your internal IT team may only become aware months later when they're asked to start managing the application. Only then do you discover that you could have multiple instances of Salesforce running in various departments with no governance in place.
When you move to the cloud, it can be challenging to understand what applications your employees use and who has access.
Smart devices blur the boundaries between personal and professional lives. This is a security challenge because your staff want to use consumer applications for work. In many instances these cloud-based apps are not sanctioned by your business. For example, users bypass your customer relationship management system because it's easier to share information with other people using Dropbox or Evernote. Now you have a situation where sensitive information can be leaked because it's shared inappropriately or a hacker gains access to somebody's personal account.
When users can even upload documents to Skype it's a challenge to keep your data secure.
This is still a concern in regulated industries. Tier-one providers offer cloud services based in Australia but don't provide any assurance that all your data will be stored here all the time. Replication processes ensure data is available if there's an issue with the local data centre but there are security implications. That's because service providers like Amazon and Microsoft are subject to US law. Even if you have great access control, including vigorous policies around who can access or monitor data, it will be handed over if there's a legal mandate from a US government department.
Though the internet has no physical borders, regulatory authorities around the world are implementing virtual borders around personal information which govern cloud strategies.
You need to put security provisions into cloud contracts. This is easier said than done because cloud service providers often refuse to include security elements in service level agreements. They'll provide certificates to demonstrate compliance with industry standards but you're not necessarily covered when you dig into it. If a major bank can't force Google or Salesforce to comply with its information security standards, it's going to be impossible for smaller organisations. Expect to see new service providers offering this as a differentiator to attract customers.
Identify what security your service provider supplies and make sure you can meet your contractual responsibilities.
It takes time for people to adjust when they can no longer contact the internal IT team. There's also a danger that your business loses agility and resilience. Historically, you'd walk into a data centre and know what different assets did. You'd know who owned them and what information they contained. You could decommission or add new ones as required. Now you need good governance around what cloud services your business is using. Without it people will be scared to turn something off because nobody really understands what it does or how it will impact everything else.
Users need coaching and guidance to understand best practises when and how they can operate in cloud.
If you move data from one service provider to another, how is the original copy removed or destroyed? This will become increasingly important. If you've encrypted data you don't need to be overly concerned but if it's not, and it contains sensitive information, you'll want to know how your security concerns will be managed. It's easy to pay for a service using a credit card but people tend not to consider the termination of service process. Without due diligence to see that data is removed, you could end up with vulnerable islands of information.
How do you get back information that is owned by the organisation, but is residing on a cloud application funded by an employee? Early intervention by continuous monitoring and trend analysis of cloud application usage is vital and covers BYO connectivity leakage.
An effective cloud security strategy begins by identifying your critical data and clearly understanding how it's used across the business. This is based heavily on the type of industry you're in. It sounds obvious but clearly identify your most important data assets and know where they live.
Patient records are the most critical assets for any medical practice.
Rivals would love to know the location and volume of gas reserves.
Transparent production costs change what customers will pay.
Your business suffers if a competitor gains real-time access to price changes.
The Finance sector is a prime target for cybercriminals trying to access banking information.
Data breaches can undermine trust in the government’s ability to protect information.
More broadly, regardless of industry, your business has a lot to lose if information about mergers and acquisitions or research and development falls into the wrong hands. Now your rivals have an opportunity to start a bidding war or launch a competing product. There might also be certain times when you're more vulnerable or likely to come under attack. The weeks leading up to the release of financial reports are critical for listed companies because anybody who gains unauthorised access could use this information to inform stock market decisions.
Accept that sensitive information will be residing in cloud applications and it will change your approach to dealing with the problem!
The next issue to consider is what cloud applications you're currently consuming. Which of these have been sanctioned as corporate applications and have the appropriate controls in place? Which are potential avenues for data loss or the mishandling of information? This is critical because once you understand where data is, and how it's being used, you can start to look at business processes to see if they're aligned properly. Ultimately, it's a question of mapping available skills, budget and priorities against your appetite for risk.
The ability to better manage funds or resources is a major benefit of cloud security. But it means changing your approach to data security. Instead of treating it like insurance and paying for the level of cover your business can afford, you can scale your payment plans and level of protection as needed. This is determined by two main factors:
Presence Of Threats
You might choose a post-breach view of the world where consumption of security resources goes up after an event has occurred. A low-cost measure and managed service tracks daily activity to make sure everything's OK but only reports back to you when something's wrong.
This is an affordable way to get peace of mind, knowing that your service levels transform when there's an exception. But the speed at which the higher level of service can be activated is vital. If you're going to pay less now, be prepared to pay a premium when something bad happens and be sure that the transition will happen very quickly.
The beauty of this in terms of capacity modelling is that you don't need skilled resources sitting around waiting for a job and you don't need to waste time checking that everything's OK. Now you're only spending on data security when there's an obvious need so there's a tangible business case.
Scaling with staff is expensive whether you use internal or external resources. Data science, machine learning and artificial intelligence can be leveraged to have an affordable 24/7 threat detection system.
Changes In Demand
This is attractive if your business has obvious spikes in demand. Classic examples include a bookmaker during the Melbourne Cup or a retailer in the run-up to Christmas. Instead of having skilled resources sitting around you can use cloud to scale up and down as required.
From a security perspective, the exponential jump in transactions during peak periods mean you're looking for the same needle in a much bigger haystack. Your vulnerability greatly increases both from a financial risk perspective and because your infrastructure is under greater strain. It's not just a matter of scaling your capacity. You need to escalate what you're looking at and how you're looking at it.
For most organisations, it doesn't make sense to have these specialist skills on permanent staff. You need a pool of talented people, based locally or overseas, who can be called on when needed.
When scaling up and down infrastructure and applications, you also need to make sure that your security scales and that you have processes monitor for any changes in posture as a result of auto-scaling.
Security concerns are often cited as a reason not to move business into the cloud. Unfortunately, your users will go there, with or without your approval and unauthorised Shadow IT is a real issue. Progressive organisations are looking to take advantage of cloud-based services wherever possible, while taking the time to ensure they plan a secure journey. Here are the main cloud security trends you should be aware of during the next few years:
Well established cloud applications like Amazon Web Services, Microsoft Azure and Salesforce will be around for the long haul. The rest of the cloud marketplace will be in a state of constant flux. Just look at how many file-sharing services have been launched in the past few years. As applications pop up and disappear again you need to monitor which ones your business has authorised and which your people are using. Security policies and risk appetites need to be more dynamic. Large organisations have historically taken a long time to change but will re-evaluate much more quickly in future.
You hold your Cloud Applications providers to task for making sure that their applications are developed securely and reside in safe, secure and stable infrastructure, but what about you own applications and developers? How does your own environment compare?
Internal IT teams often view the cloud as a way of taking something off their plate but nothing could be further from the truth. You'll need to audit third-party services that people within the business are using, providing dashboards to show how the risk posture is changing over time. You'll need to feel comfortable that your integration strategy is protecting corporate data. API-based interfaces give people greater visibility over information and be used to for control and reporting.
Start with the assumption that you will have sensitive information on cloud applications and work back from there when looking at how people work.
Most technology investments have clearly understood metrics to measure and report on performance. The best measurement of success in security is that nothing happened. The currency of security is trust. The outcome of having no breaches to report is increased trust. Forward-thinking organisations are running reputation management programs to build an excellent name for handling customer data. When you can measure how much you're trusted by customers, you have a reasonable understanding of how important security is to your business. The next frontier will be to draw conclusions about how secure your business is, to a degree of certainty, based on different measures. organisations that are building digital reputation management teams are staffing them with people who have backgrounds in security. Increasingly we'll see businesses using the blurry edge of data science to draw conclusions.
To extract value you must know what is your organisation needs at that time, not just capture a static measurement. Take the time to understand the capabilities that your security service providers supply and how you should use them. Remember, SaaS providers using agile development release new capability every month or quarter, it is not like the once traditional 1 - 2-year release software cycle.
There'll be a rise in the number of sizeable cloud-only companies. Lots of small businesses are already there but it won't be long before there are multinationals with no servers or networks, relying totally on cloud-based applications. Cloud has been sold as a dream but it's still a system that needs considered operation. It isn't an opportunity to take a hands-off approach to data security. You might change the nature of a problem, and maybe even reduce associated costs, but you haven't taken the problem away. That's why you built your systems in the first place.
You need to invest in training and enabling your teams not only in developing your own cloud applications, but in understanding third party products and the security systems and services that protect your users and information.
Cloud access security brokers (CASBs) sit between the consumers and providers of cloud services, enabling levels of security and compliance that were previously impossible. Internal security teams can use this technology to set policies, monitor behaviour and manage corporate risk across the entire range of cloud services being used across the business. CASBs enable organisations to uncover data loss blind spots in sanctioned and unsanctioned cloud apps-both on-premises and to the cloud.
Research firm Gartner splits CASB functionality into four pillars:
Understanding which cloud-based applications are being used means you can make informed business decisions on the risks they present.
Reporting tools enable you to clearly define the features a cloud-based application needs before it's considered for deployment.
Encryption or tokenisation helps protect your cloud data, meeting legal and regulatory requirements while retaining control.
CASB gives your business the ability to predict, prevent, detect and respond to cloud-based threats.
Gartner estimates fewer than five percent of large enterprises were using a CASB in 2015. That number is expected to reach 85 percent by 2020.
Don't rely on paper based assessments of capability, get your hands dirty and test not only the capability, but its ability to be operationalised in your organisation. It's vital to develop a real use case.
The first step for any organisation to manage risk is to find the points of exposure. If you are concerned about what type of content is being uploaded into your cloud accounts; worried about your compliance risks; and uncomfortable about what sensitive data may be exposed, request a Shadow Data Risk Assessment and uncover risky exposures in minutes.
When you request a Shadow Data Risk Assessment, you will receive:
To get a Shadow Data Risk Assessment for your cloud account, please click here.
Symantec Corporation (NASDAQ: SYMC), the world's leading cyber security company, helps organisations, governments and people secure their most important data wherever it lives. organisations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec's Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec operates one of the world's largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.
Arrow ECS ANZ is owned by Arrow Electronics, Inc. - a Fortune 150 company with 18,500 employees worldwide. We are a distribution specialist supporting our reseller partners to bring technology solutions to a breadth of end user markets, including telecommunications, information systems, transportation, medical, industrial and consumer electronics. Arrow ECS ANZ is an enterprise distributor for Symantec across Australia and New Zealand, if you are a channel partner and would like more information about Symantec solutions and how partnering with Arrow ECS can enhance your business, contact us on 1300 673 506 (AU) or 0800 32 22 55 (NZ) or email us at firstname.lastname@example.org.