Why should CISOs care about the latest mobile apps? While BYOD is certainly present in the enterprise security conversation, BYOCloud Services is less often considered as security professionals are often focused on securing the handful of sanctioned cloud applications.

Tim Youngblood of Kimberly Clark shared an article spotlighting two trends that are forcing CISOs to reconsider their mobile security strategy. First, traditionally consumer services such as Gmail and Facebook are blurring the strict distinction between enterprise and consumer apps. These user-friendly offerings are enabling employees to more easily work on their mobile devices, sending corporate data outside of the company network.

Second, cloud-based application accessing corporate systems of record are multiplying as startups leverage cloud providers’ API developer ecosystems to create third-party applications. While enterprise-ready apps such as Salesforce, Box, and O365 have robust security controls, third-party apps with access to sensitive data can be created by young startups without significant security investments. In other words, a breach in a productivity app run by five developers in a garage could compromise corporate data in Salesforce. CISOs need to gain visibility into third-party apps and account for the security of cloud systems of record.

The ease of acquisition and consumption for cloud services means that users may not always understand the security implications of the tools they use. In the article shared by DTTL’s JR Reagan, corporate workers surveyed declared they believe their employers are responsible for ensuring data security. 78% of respondents are confident that businesses are doing what is required to secure data, but the reality is that many organizations don’t have visibility into what cloud services employees use.

Some organizations reframe these security challenges and recognize that securing data requires a paradigm shift in strategy. Google will leverage the security benefits of the cloud and move their corporate data to the cloud, announced an article shared by Bruno Kerouanton, CISO of the Republic and Canton of Jura, Switzerland. The move reflects a shift towards securing data over securing the network perimeter. Expect more companies to join Google as public perception acknowledges the fallacy of the old “cloud is inherently insecure” myth.

US Army Corps of Engineers CISO Sam Liles shared a useful document for those embarking on a cloud security project. The article on best practices in cloud security outlines several phases: securing the code pipeline, securing the infrastructure, securing the control plane, and securing the people. Of course, the final step is “Security is never done.” This is a great lesson for organizations of all industries and sizes: security must be baked in to day-to-day operations at all levels of the company.

On that note, we couldn’t agree more with Jason Callahan’s advocacy for a user centric security model. Most employees are not sinister or purposely neglectful of security practices, but will navigate towards the path of least resistance when it comes to accessing data they need to get their jobs done. Companies like DIRECTV and Western Union understand that the user should be at the center of security strategy and invest in technologies with frictionless implementations. The philosophy behind this model dictates that employees will circumnavigate security solutions that inhibit usability.

The New Frontier for Protecting Corporate Data in the Cloud

In this ebook, we dive into the details of a framework developed by Gartner for managing cloud security.

Download Now