In my last article, I introduced the lesser known parts of cloud security, the ones that no one is talking about. These serve as the key foundation upon which an entire IT operation is built upon, and yet, they are likely to be overlooked. Previously, we shed light on three crucial parts of the security chain protecting the cloud. These were the device, the user, and the network used to connect them to the server. In Part II we’ll talk about the delicate balances between user experience and security, and collaboration and security, as well as the best practices for today’s ITSEC team.
1. A delicate balance between collaboration and security
One of the best advantages of using cloud based services are the collaboration opportunities it provides -- not only between cross-department employees but even across the company and services themselves. For instance, a project can be shared between all parties responsible for and involved in it, from Finance, through Product Development, to Marketing, to external third-party partners such as an ad agency, etc., making it easier than ever to work concurrently and enhance productivity.
This virtual group collaboration is in fact too good to be true. As the number of parties involved in a project increases so does the security risk level. By providing total freedom to share anything with anyone, the ITSEC department will lose control of the employees’ activities, the number of people involved and their identities. Yet an outright ban of allowing work collaboration and sharing is also not an effective security option because users will find other ways to share -- bypassing corporate security and visibility.
So, where should the line between acceptable and dangerous group collaboration be drawn? A balanced approach would allow access from any service and manage the authorized identities to each service via dedicated user permissions. One example of a balanced approach could be deciding that any employee can use Dropbox but only allowing certain groups to share certain links to specific content.
Understanding who is allowed to collaborate with whom, on which types of content, and most importantly, what content is allowed outside the company is key to establishing an effective, safe, and productive collaboration environment.
2. Striking the right balance between user experience and security
The more awful the user experience is, the less secure it will be. Today’s modern employee is highly tech oriented. They are highly adept at using smart devices and applications. Users have already figured out ways on how to get around popular security restrictions. For those unfamiliar, all it will take is a few minutes via an online search to find a quick work around. With a click of a button, the user can decide to bypass the same defense that IT worked so hard to implement. The reality is that the users are not trying to be malicious. The decision to work with a shadow IT platform, completely unknown to the IT department or connect to an unsecured network that offers better connectivity, is driven by the desire for increased productivity. Even though these seemingly small, careless actions can bring the house down, users believe they are contributing to the workforce, as they place productivity as the highest priority. The only way to face the security risk is to embrace it. Only a truly seamless experience can work hand in hand with today’s users; any platform that will interrupt the desired smooth work experience that the user is expecting can have devastating results for the entire cloud security chain.
Compared to a malicious outsider, assuming the employee does not want to hurt the company, there is a very different risk to evaluate. While with a malicious outsider, one could be as aggressive as needed and forbid access to any corporate resource, yet with an insider, the opposite approach is required. It needs to be done delicately, almost transparently, but with the same level of governance and control, and to be applied only if needed.
3. Team impact – minimize team members and expenses without hurting cloud security
Managing an operation’s cloud security is hard enough with just the servers, services, and security tool stack to worry about. When combining all the factors above, it becomes even harder. Current security architectures require specialized products to handle security risks associated with each aspect: the user, the device, the network and the cloud service itself. It would take different teams, with diverse skillsets, using different platforms to manage all this infrastructure mentioned above. It sounds intimidating to even initiate the process and, of course, very expensive. This leads to yet another unknown cloud security issue – team management. The most modern and effective approach here would be to have one platform as a solution to the entire cloud security chain that would also allow visibility and control but still be seamless from a user perspective. This way a company could have only one team in charge of one platform, controlling the entire cloud security chain from end to end.
As strong as the weakest link
The most critical takeaway from this article is the core understanding that a cloud is not an island, isolated and standing alone, but rather it is a part of an entire ecosystem. Thus, securing the cloud actually means securing the entire cloud security chain. Like any other chain, it’s only as strong as its weakest link. It is a new way of thinking, a holistic point of view that considers every security aspect equally important to other parts surrounding the cloud. The efforts done in order to keep each part protected are also equal, including the cost it would take to handle them, and the staff required.
The future of cloud security is only going to grow in complexity as new services and devices are introduced. The best approach is a holistic security one to ensure control and visibility to all parts of the chain and keep pace with future changes in order to avoid recreating the entire IT ecosystem with the predictable changing tides.