Current Filter: >>>>>>

   

In a recent survey of more than 250 InfoSec UK delegates in June, we learned that just over half of security professionals felt that they had reducing control over their data as they increase their adoption of cloud apps. Digging deeper, it's clear that the cloud is still uncharted territory for most organisations. The implications of the cloud on data security and compliance are not yet fully understood within organisations and the perceived risks are still being debated. What can be done then to manage these risks and what is a practical approach to embracing cloud app adoption?

The adoption of cloud applications - those authorised by IT and the unauthorised apps driven by employees - is moving the industry towards a new model. Fundamental to this model is that cloud app providers are not exclusively responsible for securing your users and your data when working in the cloud.

Cloud security is ideally a shared responsibility between the app provider and the subscribing organisation. In fact, many of the larger cloud app providers actually do a good job of publishing exactly what they do and don't do concerning security. With this in mind, here are four recommendations for IT organisations to consider when planning their role in securing cloud apps and data.

Get a handle on all cloud app usage. This is a great starting point to initiate the correct conversations between IT staff and business units. If you don't already know what cloud apps are being used, search the log files of your perimeter security products. Alternatively utilise free discovery tools that can create an inventory of apps and users and assess the related risks. If you are like most organisations you'll find four to eight times more cloud apps in use than you thought.

Decisions about unsanctioned apps. It's not practical for IT to simply block the use of dozens of unauthorised cloud apps that in many cases help staff to be more productive and often, with acceptable cost. A better approach may be for IT to allow access to these apps while taking a 'trust, but verify' approach. Start and maintain a dialogue with employees about what apps they prefer working with and why.

Monitor data moving to the cloud. Employees like document sharing services. You'll want to understand whether they are sharing regulated or sensitive data and what applications - such as Dropbox, Box, and Google Drive - are used to share files. These can create blind spots for data proliferation and leakage: you'll also want visibility of any unstructured data already in the cloud. From here, the options for extending your data loss prevention infrastructure into the cloud become clear.

Protect user account credentials. Sanctioned apps including Office 365, NetSuite and Saleforce.com contain a great deal of sensitive data. Credential theft will continue to rise as hackers target unsuspecting and trusting end users. Credentials are the front door to the data, whether encrypted or not, and training goes a long way. Educating employees about the importance of safeguarding credentials should be fundamental to any cloud security strategy.

Today's cloud computing model involves users accessing applications and data, and increasingly neither resides inside the firewall. Traditional firewall and secure web gateways are no longer enough. Gartner has identified a new category of products - Cloud Access Security Brokers. It's designed to help IT organisations to do their part in this shared security model.

Organisations can embrace the cloud while bringing security back in-house, where it belongs. The fundamentals of security have not changed, but cloud app security requires an entirely new approach that involves the IT organisation, the SaaS app provider and end users. NC