The adoption of cloud services has been near-universal, and both swift and unrelenting in nature. It’s not hard to see why. Cloud makes powerful tools and resources easily available to all, on a wide variety of devices, wherever users can connect to the Internet.
Ubiquitous, easy access to powerful technology, as and when it is needed, has impacted all businesses of all types and sizes, around the world and across every sector.
Employees can work wherever they wish, at any time of day. A team in Barcelona can work in real time with contributors from Seattle, Tokyo and Durban. Information can be shared as never before. The list of benefits goes on: Cloud is, among a host of wannabe “revolutionary” technologies, the real deal.
The Challenge for IT
However, cloud’s very ease of use and near universal accessibility are double-edged swords. Setting up an account with Dropbox, Salesforce, Office 365, Box, Google Apps or any of a host of others is the work of a moment, and such services undeniably make users’ lives easier. For the IT team, though, they represent a significant challenge – ensuring cloud services are used in a safe, secure manner.
There are two key issues to consider here.
- IT is Flying Blind
Shadow IT has long been an issue for almost all organisations – commercial businesses, charities and public sector bodies, large and small. The rise of the cloud has exacerbated the problem, with IT largely in the dark as to what cloud services are being used, by whom, when and where, what is happening to organisational data assets, and where security holes are being opened up by risky user behaviours and insecure apps and network connections.
- Traditional Tools Won’t Help
Existing controls are typically designed to secure on-premise assets and environments. They cannot provide the visibility IT needs into users’ cloud-related activities and risks.
Without that visibility, it is impossible for organisations even to identify risks, much less to address them and respond to account-centric threats.
Responsibility Without Visibility
The blind spot is typically substantially larger and wider in scope than is appreciated. Organisations are aware that cloud services are in use, and indeed may have formally approved their use. However, they often seriously underestimate the extent of unsanctioned cloud usage, both via their own devices and networks and through user-owned devices and third party networks over which they have little or no control.
A key challenge for IT is that cloud service providers typically leave their clients to set security attributes, control access and ensure compliance for data in the cloud. That means that while IT usually cannot control endpoints or cloud apps, or even know what they are, they remain responsible for the organisation’s information assets.
Ask The Right Questions
Our Human-centric cybersecurity specialists propose nine key questions to ask when considering cloud app security. These broadly split into user-related issues and data related issues.
With reference to users, they look at what apps are being used and by whom. They ask who uses file-sharing services and who downloads data to unmanaged devices. They seek to identify the most active users and uncover suspicious user activities.
On the data front, they explore where data is stored and processed in the cloud, where it is exposed to the greatest risk, and where data leakage is happening.
Three Essential Criteria
From these key questions, three key criteria emerge as essential for cloud app risk management and control.
Firstly, App Discovery is required – a comprehensive, global view of all cloud apps in use. Secondly, Risk Governance must be put in place – the contextual assessment of all risks, and the setting of mitigation policies. The third issue is Audit and Protection – the automation of policy enforcement and protection against credential misuse and malicious insider actions.
A New Toolkit
As we have noted, traditional toolkits, created for on-premise environments, fall drastically short in the cloud. A new toolkit, designed for the cloud, is needed.
Forcepoint CASB has been built for the cloud, to deliver cloud app usage visibility, high-risk activity identification, and policy enforcement, as well as providing controls to counter account-centric threats, meet compliance requirements and protect data.
Available in three packages, Cloud Governance, Cloud Audit & Protection, and Cloud Security Suite, Forcepoint CASB hands visibility and control back to IT, enabling organisations to leverage the convenience, productivity and flexibility of cloud apps without trading off security and control.
To find out more about how Forcepoint CASB can help you see clearly and maintain effective control in the cloud, download Forcepoint’s free white paper, Forcepoint CASB Sheds Light on the Cloud App Visibility Blind Spot, or find out more about the service – here.