In John Lennon’s final interview he said, “The thing the sixties did was to show us the possibilities and the responsibility that we all had. It wasn't the answer. It just gave us a glimpse of the possibility.”
The 1960s was transformative in so many ways – politically, socially, creatively, and technologically. In fact, the notion of cloud computing dates back to the 60s as a vision of treating computing as a utility with the subscriber paying for capacity used. The possibilities seemed boundless – widespread availability, unlimited computing power, speed, efficiencies, and cost effectiveness. But cloud computing would also bring responsibility.
Cloud computing is now more than a vision. It’s a reality that many IT security professionals are in the throes of dealing with today as they are faced with the responsibility of managing security in a cloud-based world. An increasingly important aspect is securing the usage of cloud apps, the market for which is expected to reach over $130B by 2020 according to Forrester. Today, business applications no longer have to fit within the walls of IT security infrastructure and many of them don’t. Instead, users can start running a cloud app within seconds with a few clicks and a credit card and can immediately begin to collaborate with anyone from anywhere to get their jobs done. Unfortunately, security professionals are often left in the dark, unaware of a new portal where outside users can access business data.
The problem is that many cloud apps aren’t as secure as people might think. A study earlier this year by Ponemon found that 50 percent of companies that build and deploy mobile apps for their customers devote no budget to mobile security, and many apps don’t even get tested for vulnerabilities. Of course not all cloud apps fall into this group – there are exceptions – but employees and even Line of Business heads have no way of knowing which apps are more or less risky. They’ll use apps, access and share data, and think they have the full complement of security technologies protecting them that they have within the walls of the enterprise or from proven vendors. This practice, called Shadow IT, and the resulting Shadow Data, prevents IT from gaining the visibility and granular control needed to intelligently protect the organization’s valuable digital assets.
Unsanctioned cloud apps aren’t the only culprits when it comes to exposing the business to malicious attacks. Even sanctioned apps or those that are seemingly secure are vulnerable because they involve user accounts, and user credentials are increasingly used as an attack vector into business data.
So how do we handle the responsibility that cloud computing brings? It’s a responsibility that must be shared among vendors, users, business leaders, and IT security professionals and involves three key aspects.
First, security solutions need to be adaptive and integrated. Security solutions must provide visibility and control everywhere and all the time: across attack vectors, including cloud apps, and the full attack continuum – before, during, and after an attack. This requires that cloud application security be part of an integrated threat defense architecture sharing data across firewalls, email and web secure gateways, and network and endpoint security solutions. Only then can security professionals fully understand the risks of each app, control how users share and access data, and identify and combat malware.
Second, there needs to be greater focus on trustworthiness. Security professionals need to understand what security and SaaS vendors are doing to build security into the heart of their products. Security should underpin all they do and they must verify that these products remain trustworthy through every point in the supply chain that delivers those products to them. And, they should ask vendors to demonstrate that their products can be trusted and to back up their claims contractually.
Third, collaboration across the organization is critical. Security professionals and business leaders must align to ensure the right apps and services are available to meet business objectives and minimize the practice of downloading unsanctioned tools. Processes to request apps and report potential malware must be simplified and actively communicated so that employees are encouraged to and understand how to use the proper channels to minimize risk and expedite response.
The benefits of cloud apps to the organization are undeniable, but so are the risks. By working together and sharing the responsibilities that come with the cloud we can shed light on how apps are being used and where the risks may lie so that we can take full advantage of the possibilities.