Security in the cloud

By Richard Spires

By Richard Spires

|

SaaS applications are changing the way agencies work - but new security approaches are needed when you no longer have a perimeter to protect.

Shutterstock image (by bestfoto77): cloud network security lock.
 

As a former CIO, I have implemented and seen the significant benefits of cloud computing -- both the leverage of compute on demand and the use of software-as-a-service applications. In particular, SaaS-based applications increasingly are becoming the way organizations can quickly and easily leverage new capabilities. This is driving tremendous growth and innovation – AngelList has more than 11,000 SaaS start-ups listed in the U.S., and IDC predicts the SaaS-based market will surpass $112 billion by 2019.

While cloud computing and SaaS business models can enable IT organizations to lower infrastructure costs and enable more agility to support customers, it also increases the complexity in dealing with IT security. Not only is the IT organization giving up control (and visibility) into some of its IT infrastructure, to the degree it is leveraging SaaS-based applications, it is also having third parties store and control sensitive data. 

Not so long ago, IT security staff would work to protect the organization's IT perimeter. With today's new computing and service models, one has to admit that a traditional perimeter no longer exists. Or if it does, that perimeter might include protecting dozens of third-party cloud service and SaaS-application providers.

To address these new IT security realities, I think of this is as a two-fold challenge. First, in regards to the use of third-party IT cloud service providers (to include more traditional outsourced data center services), organizations need to have confidence these providers are implementing the proper security controls. Those controls should match, or at least be very similar to, what the organization would implement within its own data centers and networks. These controls range from physical access for personnel, identity management for system administration access and appropriate network encryption. 

A number of non-profit organizations have been working on standardizing these controls for the industry. Notably, the Cloud Security Alliance (cloudsecurityalliance.org) has developed the Cloud Controls Matrix, a security controls framework specifically designed for cloud computing. Leveraging CCM, the CSA has developed an auditing, certification, and registry program for cloud service providers known as Security, Trust & Assurance Registry. In a similar model, the U.S. Federal Government has developed its FedRAMP program, a means for cloud service providers to meet minimum security control requirements at three different levels as defined by the NIST 800-53 security control suite.

Yet even if an IT security manager has faith in the control suite of the underlying cloud service provider, what about the case of an organization leveraging a SaaS application? In this case, it is likely that sensitive data will be stored and controlled by the third party and used by organization's customers or partners in ways that the data never touches the organization's network, firewalls or other directly controlled security devices or processes. 

As a CIO or CISO, this situation gives one significant concerns, as SaaS applications can leave one with little visibility and control regarding security of the application and its data. Hence the second challenge is how to extend an organization's security policies and controls to public clouds and SaaS applications.

This challenge has given rise to what are known as cloud access security brokers. These products serve as security enforcement points sitting on premise or in the cloud and logically exist between the organization and the cloud service provider to provide a range of services to include identity authentication and authorization, device profiling, application whitelisting, encryption, alerting, malware detection, etc. Some of the leading vendors in the CASB market include Bitglass, Blue Coat/Symantec, Cloudlock/Cisco and Skyhigh Networks. The use of CASB solutions is growing rapidly, with Gartner Group reporting that by 2020, 85 percent of large organizations will use CASB solutions, up from less than 5 percent in 2015.

On the positive side, the CASB vendors have significant capabilities and are filling a void in the market. As a former CIO, however, I have a jaded view of solving enterprise IT security challenges by continuing to add tools and then working internally to integrate them. I have rarely seen this strategy work well. 

Instead, I have become a proponent of the view that the best approach to address enterprise IT security challenges is the use of an IT security platform that provides the range of capabilities to help prevent and, when necessary, detect breaches in the enterprise. In this market, Palo Alto Networks, Cisco and Check Point Software provide integrated platform solutions (disclosure: I am member of Palo Alto Networks Public Sector Advisory Council).

As an example of the value of a platform, Palo Alto Networks has recently extended its platform capabilities into cloud solutions and SaaS applications. What is particularly intriguing (and operationally appealing) is that I can set my security controls for a type of data (for example, tailor the controls according to the data's sensitivity), and the technology enables me to enforce those policies throughout its platform, irrespective of whether that data is residing in my own data center, an outsourced data center, or in a SaaS application on a public cloud. This greatly simplifies administration of security policies throughout an enterprise and offers advanced threat prevention. 

Furthermore, one of the growing exploits used by attackers aims to infect users with malware via SaaS-based applications, since adversaries know that most organizations do not have the same ability to monitor those SaaS applications the way they do internally based tools. A key component of these platforms is the ability to bring threat detection and prevention capabilities to all aspects of the IT infrastructure and applications, including those residing in the cloud.

The use of SaaS-based applications is becoming a preferred approach for rapidly delivering new capabilities for organizations. The demand is coming from the business users, and as such, IT organizations must accept and plan for continued expansion in the number and use of SaaS. Accordingly, IT organizations need to develop a comprehensive approach for addressing the security challenges that come with relying on third-party computing and applications, even though the user and data may never traverse the organization's own network or data centers.

NEXT STORY: Veterans panel chairman wants faster action on VA scheduling

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.