2017 security predictions

What to do when your network is wide open

How can you enforce internal policies and industry compliance mandates when there’s no longer an identifiable network perimeter?

2017 security predictions

Show More

The cloud is now a mainstream IT platform. Through its unlimited economies of scale and its ability to deliver IT resources dynamically whenever users need them, the cloud’s popularity permeates through businesses of all sizes and industries.

While they enjoy cloud benefits, many in IT still feel challenged to fully secure the new platform. There might be one or more cloud services linking to your corporate and partner network, all being accessed by both mobile and traditional users. How can you enforce internal policies and industry compliance mandates when there’s no longer an identifiable network perimeter?

Ganesh Kirti, CTO and co-founder of Palerra, shows a few related issues worrying chief information security officers (CISO) when it comes to securing the cloud:

1: Sharing security responsibilities with your provider

The cloud provider takes responsibility for the security of its own infrastructure. But the business customer is responsible for deciding—and enforcing—which users can access its cloud resources and applications. In other words, the business customer needs to set up access rights and a way to authenticate users and devices requesting cloud service. That’s not the cloud provider’s responsibility.

Tip for CISOs: Configure security controls such as authentication policies, encryption schemes, data access policies; Use Identity & Access Management (IAM) to secure and restrict user access to services and data; Enable auditing so that you have visibility into compliance violations and unauthorized access.

2: Taming unmanaged traffic

There was a time when the primary enterprise security solution was to force user connections through a single common security checkpoint. With the advent of multiple networks and mobile users, however, this is no longer practical. Unmanaged traffic by definition is traffic you don’t know about. It can be user traffic, or it can be cloud-to-cloud traffic, which accounts for a significantly larger portion of the load. You can’t direct traffic through your standard checkpoint if you and your network are unaware of it.

Tip for CISOs: Securing cloud services using a checkpoint (proxy) will leave many blind-spots. Make sure to secure users and data at the cloud service (i.e. security at the source) via APIs. Monitor users, privileged administrators, and third-party apps to detect unauthorized access.

3: Performance degradation of managed traffic

If you opt to send your managed traffic—the traffic you do know about—through a central screening point, performance can falter as large volumes of traffic back up into a queue while security is applied. Impeded performance often leads to user workarounds, when frustrated workers seek alternative ways to quickly access the resources they need to get their jobs done.

Tip for CISOs: Evaluate security solutions based on your use cases. There are third-party vendors that provide security tools that will secure all cloud services (SaaS, PaaS, IaaS) without a central checkpoint.

4: Users taking control

User bypass creates new risk by adding more unknown and thus unmanaged traffic that you can’t secure using traditional methods. It can also lead to shadow IT, whereby business users purchase their own cloud services and access unsanctioned applications and other resources across your network unbeknownst to your IT department.

Tip for CISOs: Shadow IT usage causes compliance issues, creates inefficiencies and inconsistencies within the business. Have your IT security team discover/audit the shadow IT usage within your enterprise. Based on findings, create policies that will help IT and other departments work together to provide secure and compliant applications that employees need to respond to speed and productivity demands.

5: Securing both infrastructure and applications

Most cloud security solutions are focused on the protection of SaaS applications only, which leaves serious gaps. In order to ensure comprehensive security, you must consider protection that includes all data, users, and devices with no limitation across SaaS, IaaS, and PaaS.

Tip for CISOs: The risks and security issues are completely different in IaaS, PaaS, and SaaS models. Look for a comprehensive solution as part of your cloud security strategy that can secure the entire cloud footprint - SaaS, PaaS, and IaaS.

6: Choosing between an API or proxy-based cloud security solution

There are two primary security deployment modes used by today’s Cloud Access Security Brokers (CASB): the proxy service approach and the API approach. They both appear to have advantages and disadvantages. How do I choose?

Tip for CISOs: Consider your company’s needs. Are you looking for an in-line solution (proxy) that takes security action in real time? Or are you looking for an API-based approach that secures all data, users, and devices, with no limitation across SaaS, IaaS, and PaaS, whether managed or unmanaged.  Keep in mind that whichever you choose to implement with your organization, you do not need both types of CASB support.

To comment on this specific story, head to Facebook.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)