The analyst firm Gartner recently published a report titled “Don’t Let Cloud Migration Flip Your Network and Put Users in Charge of Enterprise Security” (Download a copy here). The report focuses on the security challenges created by migrating to the cloud and provides recommendations for security and risk managers. Below are select takeaways and Gartner’s recommendations for secure cloud adoption.
1) Organizations, as part of their cloud-first strategy, are adopting cloud without appreciating the extent to which they’re giving up control to the cloud service providers
Traditional information security models relied on a simple concept that what you could see, you could secure. The assumption was anything outside the network perimeter that couldn’t be seen or controlled was presumed non-secure. The cloud-as-a-service model has dramatically changed the concept that security can only be achieved within corporate perimeter.
- Utilize a cloud access security broker (CASB) registry of cloud services to determine which cloud services are required to satisfy line of business requirements and limiting cloud usage only to those cloud services that pose acceptable security risk.
- Run a cloud audit report to identify unsanctioned cloud apps, and for the risky applications, coach users towards cloud applications that provide the same functionality but have been sanctioned by the IT department.
2) The rise of cloud adoption means everyone is mobile even when they’re in the office
While most people still spend the majority of their working hours in an office or on-location (presumably protected by the network), much of the work being done via cloud is using someone else’s infrastructure. So even when implementing security controls at the network level, the reality is that users will often circumvent those controls when accessing cloud services.
- Set the right expectations for employees looking to work from anywhere. This could mean anything from disallowing or limiting access for users accessing cloud services from unexpected locations or unmanaged devices.
- Revamp your work-from-home program, if one exists, to bring it in line with a cloud-first strategy. This could mean creating more flexible work programs, or “accommodating disabilities and disaster preparedness.”
3) The corporate network topology has flipped
Whereas the enterprise (or more accurately, the enterprise network) was once the hub, with users accessing corporate data via the network as spokes, today, the cloud has made users the hub, with different cloud services being spokes. This new topology completely circumvents the network controls.
- Deploy a CASB in order to regain the control that’s lost in the cloud and “recreate enterprise hublike characteristics in the cloud.” This includes integrating with IDaaS providers to gain visibility into user behavior in the cloud.
- Implement appropriate CASB controls for different service groups such as “sanctioned”, “permitted”, and “blocked”.
- Sanctioned services, with advanced APIs, will support full CASB controls, including data loss prevention (DLP), access control, threat protection, encryption, and more.
- Permitted apps should be monitored for misuse, but since they present minimal risk (as derived from the previously mentioned cloud audit), they shouldn’t be automatically blocked simply because they’re not officially sanctioned.
- Blocked applications are those services that pose risk beyond what an enterprise can tolerate. These applications should always be blocked and users should be coached towards permitted or sanctioned apps with similar functionality.
4) Some level of bring-your-own-device (BYOD) has become the status quo at most organizations. But BYOD along with cloud adoption creates several security issues
BYOD completely bypasses traditional endpoint security controls that are highly reliant on installing some kind of software on user devices to provide necessary security controls. Even when accessing cloud services over a secure browser session, unmanaged devices still provide local storage (which could be a vector for data loss), and BYOD by itself is simply not adequate to protect the user or the data stored in them.
- Combine the functionality of a CASB with enterprise mobility management (EMM) solutions to enforce consistent policies across all cloud services.
- Enforce contextually aware adaptive access controls that limits user behavior within cloud services that are accessed via unmanaged devices.