Out Of
The Shadows

Cloud Access Security Brokers & The Future Of Enterprise IT

“There's no doubt that moving business to the cloud changes the nature of your security challenges, but it isn't going to resolve them.”

Ian McAdam, Managing Director,
Pacific Region, Symantec

01

Embracing
& Managing Change

Your approach to security, whether it applies to business information or physical assets, has always been about your appetite for risk. In some organisations, including governments, banks, healthcare providers and any organisation that deals with emerging markets, this appetite is naturally lower. Financial impact is the primary risk consideration when you focus on data security but there's also the threat to intellectual property, business disruption that hurts productivity and the potential for reputational damage.

Your ability to minimise these risks is constrained by budget and access to skills. These inform every conversation about levels of security investment and where you're going to place your pieces for maximum impact. How much appetite for risk does your business have; how exposed are you and how much money do you have to solve these problems? For many organisations, having access to the right people is often an even bigger problem than the budget restrictions. The pragmatic approach to security considers resources first and then budget. What can you realistically get done, who is going to do it and how long will it take?

There's an opportunity to challenge traditional models as your organisation moves applications and infrastructure out into the cloud, tailoring security services to meet your requirements as they change. There are also many new considerations because it will never be a straight replacement of your current environment. Of course, one fundamental aspect remains the same - however your business chooses to take advantage of cloud-based services, your customers will ultimately hold you responsible for the security of their data.

In the pages that follow we'll identify the biggest security challenges your organisation will face as it embraces cloud services, we'll offer some best practice advice and share some thoughts on where the market's headed. There's no doubt that moving business to the cloud changes the nature of your security challenges but it isn't going to resolve them.

02

Cloud Security - By The Numbers

Key Takeaway:

Not only is information leaving your organisation, it is happening on a grander scale as you embrace enterprise wide collaboration suites. Once, it was limited to 7-15 per cent of emails and no files sharing. But as you adopt collaboration suites like Office 365 and Google apps, it means all your email and filesharing is going off-site. What does this mean for your current architecture capacity?

A New Approach

Most organisations use or are adopting cloud applications and services. Office 365 and Google Apps provide a range of business applications. Box and Dropbox focus on collaboration boosting file sharing. Salesforce, ServiceNow and others provide platforms for specific functions. Infrastructure services such as AWS and Azure provide the foundation for even bigger enterprise cloud IT initiatives.

Cloud services are becoming a core part of enterprise IT resources, making CASB a critical security requirement. As attitudes to cloud security mature, many organisations are looking for a new approach. 50% of enterprises with more than 1000 users will deploy products provided by cloud access security brokers (CASBs) by 2018 to monitor their use of software-as-a-service and other forms of public cloud. This reflects the growing recognition that the secure use of public cloud requires explicit effort from the customer.

Source: Gartner
Statistics sourced from the Cloud Industry Forum, Forrester Research, Frost & Sullivan, Gartner, SANS Institute and Thales e-Security

Key Takeaway:

Your organisation is responsible for the users, data and activity in the cloud applications, while the Service Provider is responsible for everything else. CASB give your organisation visibility and control of users and workloads operating outside the traditional perimeter.

03

Cloud Security -
Challenges

It's more difficult to secure your business information in the cloud than it was within your company's own technology infrastructure. Your business needs to adopt new techniques and solutions to protect its data in this environment. Here are the main security challenges you need to consider.

04

Cloud Security - Strategy

An effective cloud security strategy begins by identifying your critical data and clearly understanding how it's used across the business. This is based heavily on the type of industry you're in. It sounds obvious but clearly identify your most important data assets and know where they live.

What's Your Critical Data?

Healthcare

Patient records are the most critical assets for any medical practice.

Resources

Rivals would love to know the location and volume of gas reserves.

Manufacturing

Transparent production costs change what customers will pay.

Retail

Your business suffers if a competitor gains real-time access to price changes.

Finance

The Finance sector is a prime target for cybercriminals trying to access banking information.

Government

Data breaches can undermine trust in the government’s ability to protect information.

More broadly, regardless of industry, your business has a lot to lose if information about mergers and acquisitions or research and development falls into the wrong hands. Now your rivals have an opportunity to start a bidding war or launch a competing product. There might also be certain times when you're more vulnerable or likely to come under attack. The weeks leading up to the release of financial reports are critical for listed companies because anybody who gains unauthorised access could use this information to inform stock market decisions.

Key Takeaway:

Accept that sensitive information will be residing in cloud applications and it will change your approach to dealing with the problem!

  • Where is our information going?
  • What applications are we using?
  • What information is stored in outsourced infrastructure?
  • Who/What shifts information outside of the company?
  • What controls do we have protecting information stored in cloud applications?
  • Who is protecting this information and how well?



Current State

The next issue to consider is what cloud applications you're currently consuming. Which of these have been sanctioned as corporate applications and have the appropriate controls in place? Which are potential avenues for data loss or the mishandling of information? This is critical because once you understand where data is, and how it's being used, you can start to look at business processes to see if they're aligned properly. Ultimately, it's a question of mapping available skills, budget and priorities against your appetite for risk.


A More Flexible Approach

The ability to better manage funds or resources is a major benefit of cloud security. But it means changing your approach to data security. Instead of treating it like insurance and paying for the level of cover your business can afford, you can scale your payment plans and level of protection as needed. This is determined by two main factors:


05

Cloud Security -
The Future

Security concerns are often cited as a reason not to move business into the cloud. Unfortunately, your users will go there, with or without your approval and unauthorised Shadow IT is a real issue. Progressive organisations are looking to take advantage of cloud-based services wherever possible, while taking the time to ensure they plan a secure journey. Here are the main cloud security trends you should be aware of during the next few years:

The Rise Of Cloud Access Security Brokers

Cloud access security brokers (CASBs) sit between the consumers and providers of cloud services, enabling levels of security and compliance that were previously impossible. Internal security teams can use this technology to set policies, monitor behaviour and manage corporate risk across the entire range of cloud services being used across the business. CASBs enable organisations to uncover data loss blind spots in sanctioned and unsanctioned cloud apps-both on-premises and to the cloud.

Research firm Gartner splits CASB functionality into four pillars:

Visibility

Understanding which cloud-based applications are being used means you can make informed business decisions on the risks they present.

Compliance

Reporting tools enable you to clearly define the features a cloud-based application needs before it's considered for deployment.

Data Security

Encryption or tokenisation helps protect your cloud data, meeting legal and regulatory requirements while retaining control.

Threat Protection

CASB gives your business the ability to predict, prevent, detect and respond to cloud-based threats.

Gartner estimates fewer than five percent of large enterprises were using a CASB in 2015. That number is expected to reach 85 percent by 2020.

Source: How to Evaluate and Operate a Cloud Access Security Broker (Gartner)

Key Takeaway:

Don't rely on paper based assessments of capability, get your hands dirty and test not only the capability, but its ability to be operationalised in your organisation. It's vital to develop a real use case.





Shadow Data Risk Assessment

The first step for any organisation to manage risk is to find the points of exposure. If you are concerned about what type of content is being uploaded into your cloud accounts; worried about your compliance risks; and uncomfortable about what sensitive data may be exposed, request a Shadow Data Risk Assessment and uncover risky exposures in minutes.

When you request a Shadow Data Risk Assessment, you will receive:

To get a Shadow Data Risk Assessment for your cloud account, please click here.

06

About Symantec & Arrow ECS

Symantec

Symantec Corporation (NASDAQ: SYMC), the world's leading cyber security company, helps organisations, governments and people secure their most important data wherever it lives. organisations across the world look to Symantec for strategic, integrated solutions to defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise, a global community of more than 50 million people and families rely on Symantec's Norton and LifeLock product suites to protect their digital lives at home and across their devices. Symantec operates one of the world's largest civilian cyber intelligence networks, allowing it to see and protect against the most advanced threats. For additional information, please visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.


Arrow ECS

Arrow ECS ANZ is owned by Arrow Electronics, Inc. - a Fortune 150 company with 18,500 employees worldwide. We are a distribution specialist supporting our reseller partners to bring technology solutions to a breadth of end user markets, including telecommunications, information systems, transportation, medical, industrial and consumer electronics. Arrow ECS ANZ is an enterprise distributor for Symantec across Australia and New Zealand, if you are a channel partner and would like more information about Symantec solutions and how partnering with Arrow ECS can enhance your business, contact us on 1300 673 506 (AU) or 0800 32 22 55 (NZ) or email us at ecsanz.info@arrow.com.