Cloud Access Security 2015
Cloud Access Security Brokers (CASBs) have become an essential topic in almost all companies who rely heavily on Software as a Service (SaaS). With the average organization now using in excess of 600 cloud apps, companies need assurance they are interacting with their cloud apps in a secure way.
How are we supposed to simultaneously embrace the cloud, use SaaS, and remain secure?
A typical modern day company will have a list of sanctioned cloud apps. These are apps for normal day-to-day operations, like Office 365, Salesforce, Dropbox, etc. But most companies do not have an accurate pulse on the other apps their employees are using – the unsanctioned apps.
The unsanctioned apps may be completely acceptable and help employees with productivity. An example may be Dropbox for file sharing. Alternatively, the unsanctioned apps may be a.) unknown, b.) unsanctioned, and c.) present a risk for the company.
The first step in deciding how to approach cloud access security is know what you don’t know. This means doing a cloud security assessment and deciding what next steps should look like.
The fact that software as a service (SaaS) is managed by a cloud provider makes it attractive to many organizations, but this also means they are at the mercy of the provider for security features. Even worse, the provider generally has access to the data in the application. A solution may be found by introducing cloud access security brokers — gateways that can enforce access control, auditing and monitoring, and even encryption of data before it goes to the provider. Although promising as a design pattern, organizations must account for the impact and limitations of such solutions. (source: Gartner)
Network & App Security Assessments in the Cloud
Extremely detailed elaborate network security assessments are rooted in the traditional on premises data center culture. These dated security assessments are many times being imposed on cloud-based network environments and applications. The problem is, cloud-based SaaS apps can’t necessarily be measured with the same criteria. The spirit of the assessments can still be honored, but with control goals in mind and in a realistic way that still allows you to use the cloud.
Add-on components must be used to secure SaaS. Although viewed as an “emerging” market by the IT research and consulting industry, cloud access security is becoming a norm.
Consider the following strategic questions that Gartner suggests when you begin thinking about a cloud access security provider:
- How can and should security be added when you don’t control the application?
- What are the benefits and drawbacks of the security broker design pattern and solutions?
- How are security and application functionality balanced when encryption is used?
The bottom line is that we all are using multiple cloud apps and we all want to minimize the number of cloud access security brokers we need to use.
Fundamental security issues will surface as a result of a security assessment. Be ready to dive into how you are handling encryption, industry compliance requirements, and how you can test a new-and-improved approach with a proof of concept.
The following infographic features some interesting data points that will probably help support your decision to go ahead and do a cloud security risk assessment.