People & TechnologyCloud First also means Security First—here are steps for getting there

Executive Summary

Cloud security is ever-increasingly becoming an inescapable part of business—the employees of enterprises using the cloud without security are ensuring it. When you move to the cloud, you need to prioritize security—ID federation, user access policies, WAF, data access and protection policies. This article is about the state of the art of preparation, as well as a solid long-term strategy for portability in case you have to move again.

Executive Summary

Cloud security is ever-increasingly becoming an inescapable part of business—the employees of enterprises using the cloud without security are ensuring it. When you move to the cloud, you need to prioritize security—ID federation, user access policies, WAF, data access and protection policies. This article is about the state of the art of preparation, as well as a solid long-term strategy for portability in case you have to move again.

The cloud has become an inescapable part of doing business—and so has cloud security.

Moving an application to the cloud or adopting a new cloud service can be a mixed blessing. For the most part, cloud service providers tend to make their applications more secure than an individual company’s security team would. However, statistics suggest most cloud applications used by employees—an estimated 94.8 percent—are not entirely enterprise-ready. Many companies lack the policies they need to be as secure as possible.

The ranks of enterprises with no cloud policies are rife with employees bringing in their own mobile devices and using their preferred services. An increasingly mobile workforce and the emergence of connected business devices, from printers to your company’s heating system to the break room refrigerator—the Internet of Things—are powered by on-demand services, making the cloud even more important at work. According to the cloud access security broker Netskope, in the third quarter of 2016, the average company had 1,031 cloud applications being used by employees.

With attackers becoming more sophisticated, you need to secure your cloud applications and make smart decisions about how to spend resources on security. While much of the focus on cloud security is on better development practices by app creators, for many companies that are consumers of apps and cloud services—and not creators—the applications often must be secured with zero visibility into their inner workings: the proverbial “black box.” For that reason, securing apps in the cloud should be treated much like securing on-premises devices.

1,031

One thousand thirty-one cloud applications are being used by employees at the average enterprise.

Here are three basic steps to extending your security in the cloud:

1. Get visibility

Just as a business needs to be aware of what is going on with its own infrastructure, your security teams should also have visibility into the use and security of any cloud services. You need to know not only how employees are accessing cloud services, but which employees are accessing them.

You should take advantage of all the logging functionality offered by your cloud provider. Your provider should also be transparent in how it secures its infrastructure and provides information about security controls.

Related

How to orchestrate your people, processes, and technology as you move to the cloud

3 min. read

2. Encrypt all data and identities

Business data kept in applications—and the data needed to access those applications, such as identity—become increasingly important when moved to the cloud.

Cybercriminals are taking advantage of inconsistencies between the data center and the cloud.

Because remote access to cloud services is the new normal, the security of data stored in the cloud also relies on the ability to reliably identify users. Security teams should not assume that a user with the right credentials is authorized. Other authentication processes such as two-factor authentication, anomaly detection, and geolocation can all help make access to cloud services more secure and should be used when they do not overly burden workflow.

Related

Is the cloud an enabler or a disruptor of your digital transformation?

5 min. read

3. Create policies and educate users

Moving applications to the cloud gives security teams the opportunity (some might say obligation) to extend their policies outside the corporate network. Because any employee with a credit card can deploy a new cloud service, you need policies that are flexible and technology that can detect unsanctioned services—more commonly known as shadow IT.

Whether data is stored on premises or in the cloud, the same overall policies should apply. While complying to regulations is an obvious starting point, your cloud policies need to ensure security and not just compliance.

Robert Haynes is a solutions architect with over twenty years experience in IT. Starting at the bottom as a helpdesk analyst, his lackluster career has lead him through UNIX systems administration, backup and storage, and finally application networking. Having supported, designed, and sold complex IT systems across a range of industries and a number of continents, Robert’s focus is always on the practical implementation and real world use of technology. While this may seem utterly at odds with his current role in marketing for F5 Networks, he likes to think that he is primarily employed to bring balance to the Force.

Robert holds a B.Sc. in Applied Biology from the University of Wales College Cardiff, and a certificate in “Avoiding Collisions While Backing and Parking” from the Driving Dynamics Interactive Advanced Driving School, the latter of which has proved considerably more useful than the former.

You Might Also Like

Cloud · 5 min. read

Preserve your flexibility in the cloud

Developers are having a greater impact on how applications are architected, and in many cases, making unilateral choices that are in effect making business decisions for the company. While nearly two-thirds of enterprise IT managers believe they should be the deciding vote in selecting a public cloud service, moving apps to the cloud, or creating a private cloud, business units disagree about 40 percent of the time. CIOs need to manage this.

Business Strategy · 5 min. read

Is the cloud an enabler or a disruptor of your digital transformation?

The cloud offers lots of benefits to employees and consumers, but lots of headaches for IT architects. When it comes to evaluating the impact that cloud will have on your digital transformation, there’s no easy explanation. The answer mostly depends on whom you ask.