It would be an understatement to say that cloud applications have had some success in the past. While cloud adoption rate is still growing quickly, most companies these days use at least one cloud service in one way or the other. Whether it is a private cloud where an ERP system is hosted, whether computing power is outsourced to one of the big hyperscalers or whether it is a simple cloud file sharing service which makes it easier for users to share large amounts of data – cloud applications have become an integral part of our IT usage. That also raises security concerns for the cloud – how can companies ensure that sensitive data is protected and that cloud applications do not break a hole into the carefully crafted security walls around the company’s infrastructure?
In the recent past, the term Cloud Access Security Broker has been used for those security solutions which secure cloud usage. However, with cloud usage becoming ever more entangled into our daily workflow, cloud security solutions these days need to cover more use cases and require more comprehensive features to effectively secure the corporate infrastructure beyond the internal network boundaries. Just securing access to cloud applications would neglect the realities in an ever more cloud-focused world. Here are three requirements a cloud security solution needs to fulfill to cover those realities.
Be aware of (and secure) “shadow IT”
Even in companies where there is no official cloud adoption, chances are high that some cloud applications are still being used. In fact, during the course of a typical day, most IT users will access a cloud application at least in some ways. Be it for a large file which cannot be send via e-mail or for setting the desktop background image to that beautiful sunset from the last holiday. The reasons why cloud applications are accessed are manifold, a security problem arises when that cloud usage has not been sanctioned by corporate IT. And even if specific cloud applications can officially be used, users will still want to access their own personal cloud accounts in some situations. The big question is: how can companies provide transparency and security for both corporate and private instances of cloud applications?
The problem is obvious, but from an IT perspective looks similar to the famous Gordian Knot: once you stop blocking access to, for example, OneDrive or Dropbox, users will also be able to access their own personal instances of said applications. And while it is easy to govern access to those corporate accounts which are under control of IT, it would be easy for a user to download potentially sensitive data from the corporate cloud and immediately upload this data to his or her personal cloud instance.
A next generation cloud security solution would therefore need to be aware of these different instances and should be able to set different policies for each type of instance. This way, it would be possible to upload anything to the corporate cloud instance, while upload to personal instances would be forbidden. Allowing downloads, however, would still enable users to access their private photo collection, for example.
Data Loss Protection
A related use case – if not the most significant use case when it comes to cloud applications – is the prevention of data loss. (Data Loss Prevention, DLP). For DLP, there are actually two main issues. The first one is the question, which data is sensitive and needs to be protected. A good cloud solution for DLP would have to have a set of predefined patterns which will enable identification of sensitive data. Ideally, this would be supported with machine learning capabilities, as data is constantly evolving. To prevent data from moving into the cloud, then, a policy needs to be applied which is constantly monitoring the data flow to the cloud – of course, some data are specifically meant to reside in the cloud, which is why a comprehensive monitoring is of essence.
Which also relates to the second problem of DLP. Preventing data loss in combination with cloud access can only work effectively, if the entire network traffic is controlled and all data flows are transparent. That, on the other hand, will only work with a solution that is capable of steering the entire traffic. In today’s world of full connectivity, the best solution to achieve that is to span a network of physical locations which steer customer’s traffic. In other words, “a cloud for the cloud” would be the best approach to achieve this.
Catch me if you can
Cloud applications today are increasingly divers. What started with a few use cases such as CRM or travel expenses today covers most of the corporate IT processes – with a similar high number of cloud application providers in this space. With more workload on the cloud, more data is created in the cloud, more traffic runs outside of the corporate on-premise network. Which means companies have to expand their perimeters, making sure that all cloud applications are covered. However, this also means that a cloud security solution needs to cover all of these different providers and the traffic going back and forth. With the big cloud providers, this is usually no issue as they have well documented integration possibilities. Most of the smaller cloud applications also provide some form of API connectivity, which makes it easy to integrate those as well. However, integrating cloud applications is only possible with sanctioned cloud services. For the “shadow IT” mentioned above, companies will need to know which data is going to an unsanctioned cloud. A cloud security solution therefore needs to be able to make traffic apparent by decoding data on the fly.
Finally, one of the main drivers for cloud services in general was always the requirements of mobile users. Being able to access your data anywhere on any device was – and still is – one of the main arguments for cloud applications. Unfortunately, accessing clouds “on the road” also circumvents the companies network, even a VPN connection is not always used. In order to comprehensively protect all cloud access, however, this needs to be taken into account. A next generation cloud security solution should also be able to ensure cloud protection for mobile users, by providing a client to be installed on all mobile devices, to name one possibility.
Today’s corporate processes are relying more and more on cloud applications. However, so do private users, and with the border between private and work becoming blurry, companies need to be aware that securing cloud applications entails much more than simply securing access to those clouds. In fact, any solution for cloud security needs to make sure that
- Data loss is prevented
- Cloud usage – both for sanctioned applications and unsanctioned services – is transparent at all times
- Data flow is monitored comprehensively
Next generation cloud security solutions need to take these considerations into account and counter them with features which enable secure cloud access, regardless of use cases.