As the amount of data continues to grow and expand outside of the enterprise, security leaders need to develop a plan to quickly secure it.
The big promise of cloud computing was that it would simplify security. Organizations would no longer have to worry about securing their infrastructure because that’s what cloud service providers would do. The promise was that enterprise cloud service providers would ensure that their systems that provide organizations compute power, storage, database, and networking infrastructure services would be well managed and secured. Organizations could then use the time they previously spent securing infrastructure to better secure their data and applications.
Unfortunately, it hasn’t turned out that way. Cloud hasn’t simplified security, not for many mid-size and larger organizations. In fact, in many ways, cloud has added to management and security complexity. This isn’t because cloud providers have failed to live up to their promises. For the most part they have. The vast majority of cloud service providers do deliver highly available and secure services. It’s time enterprises do more of their part.
The Challenge is the Phenomenal Success of Cloud
The challenge actually stems from the phenomenal success of cloud computing. Cloud is so easy and affordable that any business user can set up shared cloud storage or a collaborative platform for themselves or their teams. Anyone with a credit card or an expense account can procure their own services that are completely invisible to the enterprise. This means data that was once stored in the data center or on computer-user endpoints is now sprawled across dozens of cloud services. Thus, enterprise security teams don’t have visibility to – or control over – where their data resides or ultimately who has access.
We’ve witnessed a data supernova over the past decade, as enterprise data has been strewn from the data center and endpoints to places such as Dropbox, Box, Microsoft Office365, Azure, Slack, and dozens of other common cloud apps, services and platforms. While enterprises have been aware of this data explosion, for any number of reasons they have not been able to control it.
Perhaps the biggest test enterprises face from the data supernova is the loss of visibility into their data: where are their data going once they leave their data centers and endpoints? Interestingly, most enterprises don’t yet realize that they have a problem with data visibility. In a 2018 Data Exposure Report (PDF), Code42 found that 75 percent of security and IT leaders claim to have full data visibility across all of their organizational data, while 20 percent admitted that they don’t have such visibility. The reality is most organizations have their blinders firmly in place when it comes to data visibility.
The Path to Data Visibility
Still, enterprises know they actually do need data visibility. The Data Exposure Report showed that 80 percent of those surveyed agreed that one can’t protect what one can’t see, and 74 percent of business leaders believe IT and security should have full visibility across organizational data. So how do enterprises regain their visibility?
There is a limited number of choices. While many enterprises would like to commandeer the laws of physics to alter gravity and pull their data back to their data centers and endpoints, that’s never going to happen. Still, there are things they can do, and a number of things they shouldn’t try to do.
One approach enterprises shouldn’t take is also commonly tried. They try to stop users from turning to the cloud services of their choice. Security and IT develops a list of approved cloud services and mandates only those services may be used.
Of course, that doesn’t go over well, and is usually ignored. Sure, these enterprises can try to monitor what services users are turning to and shut down every instance of an unapproved service as it pops up, but they’ll end up playing an unending game of whack-a-mole. A game IT and security will eventually lose, to be sure. Most people can agree this is not a long-term strategy.
There’s another option. An organization can just wing it and allow users to do what they want and trust that they and the cloud providers will adequately secure your data. Of course, that’s not a great idea – all of your data is important. The truth is you never want hackers or competitors to get a hold of your data, and some of that data probably falls under legal or regulatory mandates.
That leaves one to finding technology solutions. The first is having the ability to identify the cloud services your staff are using. Once these services are identified, IT and security teams can ensure they are properly managed and secured, including such important practices such as access control, configuration management, monitoring, backup and recovery capabilities and whatever else makes sense within the context of the cloud app and how it’s being used. This is also an area where data loss protection can give enterprises visibility into how and where data flows from their endpoints to their cloud services. They can track who has access to every file, where the files go, and step in should anything suspicious warrant action.
Enterprises not only need a comprehensive view of file activity across both endpoints and cloud services, but they need to constantly monitor for changes in data across the organization and be able to immediately step in should threats arise and make it so that data is fully recoverable should the cloud service become unavailable.
Finally, it also ensures compliance is possible to industry and government regulatory mandates, such as GDPR.
While enterprises may wish that the data supernova never happened, there’s no putting the data that has been strewn throughout cloud services back into the data center or user endpoints. There’s no gravitational force that will pull all of that data back. And there’s no stopping staff from using cloud services of their choice. The only option for enterprises to do their part and gain control is by increasing visibility through monitoring and ensuring good security practices around apps and data.
(About Rob Juncker, senior vice president of research and development and operations at Code42. His background is in security, cloud, mobile and IT management. Before joining Code42, Juncker was vice president of research and development at Ivanti, a leader in the security and IT management space.)
[Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.]