Why should CISOs care about the latest mobile apps? While BYOD is certainly present in the enterprise security conversation, BYOCloud Services is less often considered as security professionals are often focused on securing the handful of sanctioned cloud applications.
Tim Youngblood of Kimberly Clark shared an article spotlighting two trends that are forcing CISOs to reconsider their mobile security strategy. First, traditionally consumer services such as Gmail and Facebook are blurring the strict distinction between enterprise and consumer apps. These user-friendly offerings are enabling employees to more easily work on their mobile devices, sending corporate data outside of the company network.
Second, cloud-based application accessing corporate systems of record are multiplying as startups leverage cloud providers’ API developer ecosystems to create third-party applications. While enterprise-ready apps such as Salesforce, Box, and O365 have robust security controls, third-party apps with access to sensitive data can be created by young startups without significant security investments. In other words, a breach in a productivity app run by five developers in a garage could compromise corporate data in Salesforce. CISOs need to gain visibility into third-party apps and account for the security of cloud systems of record.
Mobile First, But What’s Next? – The ascendance of mobile devices, cloud computing and big data is having a profo… http://t.co/eltdbNFZNL
— Tim Youngblood (@youngbloodtim) May 17, 2015
The ease of acquisition and consumption for cloud services means that users may not always understand the security implications of the tools they use. In the article shared by DTTL’s JR Reagan, corporate workers surveyed declared they believe their employers are responsible for ensuring data security. 78% of respondents are confident that businesses are doing what is required to secure data, but the reality is that many organizations don’t have visibility into what cloud services employees use.
— Dr. JR Reagan (@IdeaXplorer) May 17, 2015
Some organizations reframe these security challenges and recognize that securing data requires a paradigm shift in strategy. Google will leverage the security benefits of the cloud and move their corporate data to the cloud, announced an article shared by Bruno Kerouanton, CISO of the Republic and Canton of Jura, Switzerland. The move reflects a shift towards securing data over securing the network perimeter. Expect more companies to join Google as public perception acknowledges the fallacy of the old “cloud is inherently insecure” myth.
Google Reverses Traditional Security Model and Moves Its Corporate Applications to the Internet http://t.co/JNrRt7VHYx
— Bruno Kerouanton (@kerouanton) May 18, 2015
US Army Corps of Engineers CISO Sam Liles shared a useful document for those embarking on a cloud security project. The article on best practices in cloud security outlines several phases: securing the code pipeline, securing the infrastructure, securing the control plane, and securing the people. Of course, the final step is “Security is never done.” This is a great lesson for organizations of all industries and sizes: security must be baked in to day-to-day operations at all levels of the company.
Cloud security best practices during all phases of the infrastructure lifecycle http://t.co/hUqLsiwlG2
— Dr. Sam Liles (@selil) May 15, 2015
On that note, we couldn’t agree more with Jason Callahan’s advocacy for a user centric security model. Most employees are not sinister or purposely neglectful of security practices, but will navigate towards the path of least resistance when it comes to accessing data they need to get their jobs done. Companies like DIRECTV and Western Union understand that the user should be at the center of security strategy and invest in technologies with frictionless implementations. The philosophy behind this model dictates that employees will circumnavigate security solutions that inhibit usability.
I disagree!! Security and convenience don't have to be inversely related!! @argyleciso
— JasonPCallahan (@JasonPCallahan) May 19, 2015