BoxWorks took place in San Francisco this week, championing the recurring theme, “How Tomorrow Works.” There is no doubt cloud computing marks the destination for enterprise software, but security concerns continue to delay progress. Many companies in even the most-regulated industries, such as Financial Services, have taken a cloud-first approach to IT operations and security, but they still represent the minority. In fact, only 33% of companies report a full-steam-ahead approach towards cloud at this point.
In the year since the last BoxWorks conference, we have witnessed a sea change in the attitude towards enterprise cloud use. Organizations have woken up to risk from ungoverned cloud use, with Gartner predicting that 25% of enterprises will employ a cloud access security broker solution by 2016.
Fewer and fewer organizations are taking the myopic strategy of trying to block all cloud usage or, worse yet, denying it exists in their organization. 451 analyst Adrian Sanabria points out a key tension driving information security strategy in the enterprise: the tradeoff between functionality and security.
If breaking functionality was an acceptable approach to securing systems, we'd just run around in data centers with scissors all day.
— Adrian Sanabria (@sawaba) July 9, 2015
The initiative behind cloud migrations often originates with employees, who pressure IT to enable SaaS work tools. Partnering with business units means making data available to end-users where and how they need it. Conferences like Dreamforce and Boxworks highlight the exciting capabilities businesses gain with SaaS applications. Cloud-based solutions have moved far beyond simple storage to business analytics as a service and collaborative media editing as a service platforms. Taking full advantage of these offerings can unlock business results and make IT a competitive differentiator. As Ariva Group’s Phil Cracknell argues, a viable security strategy must cater to business objectives.
Corporate security strategies still not taking account of what the business needs!
— Phil Cracknell (@pcracknell) September 30, 2015
A common security failure is refusing to acknowledge the risk present in the status quo. Wendy Nather of the Retail Cyber Intelligence Sharing Center perfectly describes this phenomenon in what she calls “Cheeseburger risk,” or the dangers you tolerate until a catastrophic episode occurs. We’ve seen this process unfold in breaches like OPM’s, where security upgrades like encrypting data at rest were deferred until it was too late.
— Wendy Nather (@wendynather) September 9, 2015
Cloud-first organizations benefit from the security advantages cloud services offer, like ease of updates, visibility from APIs, and constant innovation driven by a competitive enterprise SaaS market. Taking a hands-on approach to cloud governance also positions IT as a trusted advisor to end-users. Phil Agcaoili of US Bancorp points out that much of the risk incurred from cloud usage arises from a lack of knowledge. The typical employee does not have the resources or know-how to properly evaluate the security of cloud applications – many of which are available for free on a mobile app store. IT should proactively assume the role of an intelligence center for employees. By equipping users with information on cloud risk, security teams help users to make responsible SaaS consumption decisions. In fact, Skyhigh’s data shows that organizations that employee coaching via just-in-time educational pop-ups when blocking services, reduce the usage of high-risk file sharing services by 97%. This makes everyone’s job easier; educated employees are a security team’s strongest allies.
— Phil Agcaoili (@Hacksec) September 25, 2015
Organizations should always prepare for the worst. Compromised accounts and rogue insiders are realities of the modern threat landscape. Security intelligence is an essential component of a resilient security posture. An article Troels Oerting of Barclays shared makes the point that many organizations are not in a position to take action on security incidents until after a data breach. Adaptive policies and early warnings of risky behavior help companies cut through the noise and remediate threats before they reach a critical stage.
The value of threat intelligence. http://t.co/92bnbf6eXg
— Troels Oerting (@TroelsOerting) October 1, 2015