Cloud security is all the rage these days, and it’s driving CISOs and IT to revisit their overall security strategies in light of the new challenges posed by the cloud. Specifically, the cloud access market is a hot area of security these days and drawing a lot of attention among CISOs. This segment, which Gartner has coined the “Cloud Access Security Broker” (CASB) space, is quickly gaining momentum with a slew of vendors entering the market.
A Ponemon Institute study published last year highlighted some key areas that every CISO or IT professional should keep in mind as they develop or refine their cloud security strategies. We’ve summarized many of them here and elaborated on them further.
Am I responsible for safeguarding confidential information stored in the cloud?
Is it the cloud service provider or us? The short answer is “both.” You can think of it as a shared-security model, in which a provider like Amazon Web Services provides the foundational security elements, but it’s up to you the customer to ultimately secure the apps that are running on AWS. With this shared-security model it becomes very important for you to know who exactly has access to your cloud apps and to manage accordingly.
Do I even know which apps are being used in my organization?
There are so many cloud apps these days, it’s tough to keep track. Facebook, Twitter, Dropbox, Box, Salesforce, Google Apps, Office 365, and a huge list of others. And many are legitimately used for work purposes. As a result, traditional IT has had to change the way it finds out which cloud apps are being used by employees, how often they use them, and what they’re doing on these apps.
Who’s keeping an eye on all the folks accessing corporate data through mobile devices?
With the cloud comes a plethora of access points – not just corporate-managed devices, but also mobile devices that are beyond an organization’s control. The proliferation of tablets, smartphones, and other mobile devices have made securing the endpoints more challenging, especially when it comes to cloud apps. Since many apps like Box and Dropbox are cloud-based and often used by employees to collaborate and exchange sensitive documents, many times without IT even knowing it, this represents a serious security problem that does not bring joy to a CISO.
Can I make it tougher for hackers and third parties to access my sensitive data?
Short answer: “Yup, you sure can.” The best way to go about that, per the Ponemon Institute, is to employ multi-factor authentication. It’s a widely accepted (and preferred) method to verify a person’s identity. With password theft so common these days, multi-factor authentication is an effective way to prevent account takeovers and the inappropriate use of stolen credentials.
Hackers have come to realize it’s just as effective to access an account through stolen, but legitimate, credentials. Risk-based, multi-factor authentication can thwart that. Nobody wants to log in through a bunch of hoops and hurdles to access their account, but wouldn’t you feel more at ease if a bad guy got ahold of your credentials and was forced to provide not just your login credentials but maybe a one-time passcode that shows up on your mobile phone? The extra work doesn’t sound so bad now, does it? Especially when it’s triggered only when something looks fishy or is not the normal behavior for a particular user.
Do I really need encryption?
Even though most folks will discuss and debate the proper approach to encryption in any security design, the Ponemon study found that only 36% of respondents said they actually use encryption or similar technologies to secure their sensitive or confidential information at rest. This discrepancy between “talking the talk” and “walking the walk” may lie in the fact that encryption is just too damn hard to do.
Case in point: it might be easy to encrypt data, but more often than not, difficulties inevitably arise when the customer wants to hold the keys to decrypt the data. That part of the puzzle is not so easy to implement and the reason why you don’t see all customers rolling out cryptographic solutions.
Do I need to worry about regulatory compliance?
If you don’t want to end up in the headlines for all the wrong reasons, then, yes, you do. Compliance and security often go hand-in-hand. Whether it’s HIPAA, PCI DSS, SOX, or maybe even the Cloud Security Alliance with their best practice guidelines, organizations must be wary of the regulations that are applicable to them. It could be specific rules around password strength, authentication requirements, folder sharing, or admin delegation. And that’s just the beginning. Nearly all organizations must keep detailed audit records of access events, configuration changes, and other critical administrative tasks. Automating this can go a long way towards meeting and simplifying compliance obligations.
OK, you’ve got my attention. Now what do I do?
A prudent first step would be to take an honest look at what’s going on in your organization with respect to cloud app usage. Nearly all the CASB vendors offer some form of cloud discovery whereby they’ll analyze log files from web proxies or firewalls, but that only gets you rather general data, such as the number of apps in use in your organization, the number of users, the amount of traffic, and perhaps an overall risk score based on a given vendor’s research or analysis of an app provider.
Skyfence is the only vendor in the CASB space that provides cloud risk governance features that take cloud discovery to a whole new level. Until April 30th, we’re offering a free contextual risk assessment that paints the most accurate picture of your risk posture, so click here to get started on mitigating your cloud app risk.