As businesses migrate to the cloud, they face the unique security challenges of this dynamic platform. And by nature organizations will utilize multiple SaaS and IaaS providers.
So the questions begin. How do we put the proper data controls in place? How do we ensure only certain types of data are placed in public cloud providers? These are good questions—in due time.
What matters first
Gaining visibility into cloud usage now and on an ongoing basis is job one.
It is impossible to secure the unknown. You can’t apply the proper controls. Many organizations attempt to solve for this with Cloud Access Security Brokers (CASBs) and soon find themselves drowning in the number of discovered applications. They’re significantly overwhelmed with data and how to use the data provided from the discovery.
A phased approach
Understand what is driving your organization’s cloud initiatives. Are you being challenged to do more with less, increase efficiencies, or reduce operating costs? Gain a baseline through discovery. And create a solid governance process to allow for the enablement of cloud applications while reducing risk and remaining compliant.
It’s understandable to have some anxiety placing the organization’s “crown jewels” in a public cloud; at the very least data must be encrypted and the proper permissions applied. Sometimes a private cloud is built so the organization can still provide cloud’s automation and orchestration benefits. In all cases, visibility is crucial to providing this level of security.
The growth of SaaS applications has introduced visibility challenges that require a different approach. Many organizations have used SaaS applications for years and many of these applications are not enterprise-ready. What does enterprise-ready mean? The application can provide encryption and federation, to name a few.
Is the SLA provided to the end user by the cloud provider and how is the overall architecture designed? When organizations attempt to gain visibility, more often than not the number of cloud applications is five times the number they thought they had. Why? They’re easy to purchase and they provide critical business functions.
Traditional procurement policies and procedures were not built to handle cloud applications, therefore many of these purchases are not detected. The data present in these applications may not have the visibility required to protect the organization.
Reduce shadow IT
To maintain security, organizations need to consider traditional compliance and regulatory requirements, and the less common process of creating a governance process based on the business perspective. This effort should cover the types of data and process for implementing and supporting a cloud model.
What does the organization gain from this meticulous effort? Effectively reducing shadow IT while not inhibiting the business. It is all about secure enablement, data, visibility, and adapting the way a traditional IT organization works to support a cloud operating model.