With so many cloud service providers that run the gamut from first-rate to not well known, navigating the cloud territory can seem as daunting as hitching a cart to a horse and heading west. No, moving to the cloud is not the same as the manifest destiny that drove people out west, but both the cloud and the westward expansion promised great expectations.
Over the last 18 months cloud migration has been as aggressive as the westward movement in early 19th century America. Instead of horses and buggies, the virtual sky is littered with clouds like a traffic jam in a Jetson’s episode. Organizations need to know what to look for in a provider to make sure that their cloud service lives up to their expectations.
In many ways, cloud delivers on its promises, though there are recognizable gaps depending on the service providers. Rich Campagna vice president of products at Bitglass said, “We are seeing up to date modern applications that are available anywhere. From a security standpoint, we are starting to see where cloud is living up to its expectations and where some vendors are not.”
Where security does not live up to its expectations can depend on the cloud service provider, but the enterprise remains ultimately responsible for any compromised data.
Jim Reavis, co-founder and chief executive officer at Cloud Security Alliance, said, “From a security perspective cloud companies that do security well are doing it very well, but a lot of cloud companies—and there are tens of thousands of cloud business services—are not well known.” Those companies that are less recognizable can sometimes provide less satisfactory products.
“There are issues of uncertainty,” Reavis said, “and sometimes security is not as well vetted. Some companies don’t have enterprise type features or don’t have a lot of security certifications.”
Reavis said, “You need to look at how data is being managed. Is it being protected? Stored in alignment with any regulations? You don’t have the indirect attacks where cloud users get phished, but a lot of risk is about data.” Accessing data or not being able to access data is a potential risk, but data can also be compromised in the cloud depending on the cloud business servicers.
While cloud may work as a superior product for some organizations, there is no universal application that fits for all companies. From accessibility to security and everything in between, companies can make informed choices if they ask the right questions when deciding on which service provider is best for them.
Dave Cole, chief product officer at CrowdStrike advised that when moving to cloud, “make sure you are using cloud for the right reasons.” Asking need-based questions, said Cole, is important in determining the right services. Vendors should be able to answer questions like, “exactly what data are you sharing? How is it being protected? What type of certifications have you achieved?” Cole said.
What are the benefits of cloud?
The ease of access to information without having to have infrastructure on premise is a notable advantage of moving to the cloud. “In the middle of an incident or breach, you don’t have to deploy a server anywhere, and in the midst of a breach time is critical,” said Cole. But shifting the server from on premise to a cloud service provider is about more than saving time during an incident or breach.
In addition to allowing employees to work remotely, “cloud means we have the ability to have employees anywhere working from any device and still have extreme visibility into endpoint,” Cole said. This extreme visibility is also beneficial with BYOD as the cloud can see to the end point on any device.
For a lot of organizations, cloud both meets its expectations while also presenting some new challenges. Morey Haber, vice president of technology at Beyond Trust, said, “For SaaS and for extending QA and development, cloud has lived up to its expectations. But in some ways it hasn’t. Specifically, for extending the data center, it has been problematic and presented new challenges for organizations.”
The convenience factor and the ability to expedite access and response are great assets, but companies need to know security remains a concern in the cloud. “We have a demo lab, we use a cloud for that. We don’t worry about anything. The convenience, the stability, the backup, I don’t have to worry about any of that,” Haber said.
Cole agreed that while cloud offers complete visibility, risks remain when it comes to “proliferation of services and adding layering on top of that. There are issues with policy and data leakage.” As the landscape of the cloud continues to expand and evolve, corporations need to understand the policies that are used to secure and collect data.
For companies that are still in the midst of migration to the cloud, the idea of needing another measure of security can seem overwhelming. They have done their due diligence, analyzed their risk assessments, and determined that now is the time to move to the cloud. Just as they’ve transported their sensitive data, they are being told the cloud might not be enough.
Is relying on the cloud security enough, or should cloud and CASBs go hand in hand?
Harber said, “Anybody considering using the cloud for whatever technology—always try to grade or rate the sensitivity of the data they are placing in the cloud because that will gauge the risk and liability.”
Cloud access security brokers afford organizations extended security for their devices and networks, but whether companies need a CASB or not is based on risk assessment.
Campagna said, “CASB a central point of visibility control that an organization can put in place to protect any cloud applications they wish. The CASB will build controls from embedded trackers to applying encryption to outright blocking of a transaction or redaction of information so that there is not a compliance exposure.”
Data and information is all over the place. When data goes into the cloud, it essentially is sitting on someone else’s computer. “Now all sensitive data is stored on somebody else’s computer—a black box, and you don’t know how its protected,” said Campagna.
[ ALSO ON CSO: 14 tips to secure cloud applications ]
Where the physical environment protected on premise infrastructure, that barrier is obsolete in the cloud. Campagna said, “What’s different is that literally anyone can login to a cloud door and get access into the application. Can we guard that front door—data access firewall so to speak.”
Not only can anyone access the cloud, but cloud data gets synced down to devices. Campagna used a hypothetical example of company X that just deployed Box. “Employees are going to download the Box app onto all their different devices, and now a cloud problem has become a mobile access problem,” Campagna said.
“Anyone that has sensitive data to protect and is moving to the cloud has the potential need for a CASB. They have sensitive intellectual property that they want to protect,” Campagna said.
Any reasonably sized organization has some amount of information assets that they want to safeguard. “At the very least, a CASB is a good solution for getting visibility into external file sharing, for example,” Campagna said.