For a Cloud-First Strategy, Start With a Cloud Security-First Plan

November 14, 2014
| |
5 min read

Today, it’s hard to find an enterprise that is not digital in some way, regardless of industry, geography or size. More and more, digital means using the cloud, which is beneficial through lower operational costs, increased access and more flexibility. It’s late 2014, and most smart digital enterprises already have their information technology (IT) game plan for 2015. This means implementing a cloud-first approach with a more sophisticated use of the cloud to drive business differentiation and lower operational costs. This is dramatic. According to the International Data Corporation (IDC), cloud spending has risen to $127.5 billion worldwide in 2018. It also predicts a tenfold increase in the number of new cloud-based solutions.

Security Remains No. 1 Inhibitor to Cloud-First Adoption

Significant threats remain in vulnerable cloud applications, and users’ endpoints are moving further and further from the IT department’s control. Meanwhile, current IT infrastructures and staff are barely able to handle existing threats, let alone new ones. IT departments are obviously stretched thin and often lack the manpower or skills to handle the growing and unique security needs that result from cloud implementation.

The recent unending string of enterprise security breaches shows the pressures in the system. In 2013, Verizon reported more than 63,000 security incidents and 1,367 confirmed data breaches worldwide in its annual security breach investigations report. In the first half of this year, some 395 data breaches were reported to regulators in the United States, according to the Identity Theft Resource Center. Not even top financial services firms (such as JPMorgan), which spend more on security than any other industry, are immune.

Additionally, businesses and individual users are dragging companies into using cloud applications regardless of whether they are approved. Seventy-three percent of firms discovered cloud usage outside of IT or security policies, according to the IDC’s 2013 U.S. Cloud Security Survey. The recent leak of 7 million Dropbox passwords has raised legitimate questions regarding the security posture of all cloud applications.

Can Cloud Applications Be Made Secure?

It’s clear that more security risks will be created in cloud deployments without revamped and relevant security technology, training and practices. This is not necessarily because they are included the cloud, but rather due to the problem of discovering, tracking and protecting technology and operational boundaries, systems, devices and responsibilities. This situation can worsen as the number, variety and responsibilities of users also increases. Business unit-driven IT projects, aka “shadow IT,” will further aggregate the problem as untrained end users become responsible for more aspects of IT security.

Ironically, an expectation of the cloud-first IT strategy is that security will not improve because systems, data and workloads will be managed by security experts 24/7. That is not true. If the National Security Agency can get past the industrial-strength security of major cloud providers such as Google or Amazon, what makes you think you can with the same old commercial, off-the-shelf security tools?

What digital enterprises need is a cloud security-first strategy that is designed with security in mind from the start and should focus on the following key areas:

  1. Develop and maintain a constant state of discovery. It’s essential to manage the risk created by the thousands of software-as-a-service and infrastructure-as-a-service offerings available to your users. You should know which apps are being used at any point in time and what their individual risk profiles are.
  2. Control access to both sanctioned and unsanctioned cloud applications. Federated single sign-on to all end-user applications puts you in control of users and helps control data to and from these applications.
  3. Implement data protection. Many approaches exist here, and frankly, there is no perfect solution. Encryption, tokenization, data-masking and traditional data loss prevention solutions each have a place in controlling data.
  4. Get endpoint threat protection for your custom cloud applications. Cloud apps are simply a collection of virtual and physical endpoints and need much of the protection you would apply to a server in your own data center. Antivirus and other detection-based solutions detect known threats. Application white-listing controls which applications are allowed to install and run on an endpoint by matching authorized programs (the white list) to a database of “good” applications. This has been shown to be an effective way to block the execution of malware.
  5. You need network threat protection for your custom cloud applications. These work to defend cloud applications and data stores against network-based attacks by using signatures to detect and block in the network data stream to and from the cloud.
  6. Security management matters. You can’t secure what you can’t manage. Responding quickly in the event of an outbreak boils down to good management of all your security technologies. Compliance should be a natural byproduct of your security management implementation.
  7. Develop and maintain a constant state of visibility. Knowing the who, when, where, what and how of your cloud applications is essential to securing the cloud. Security information and event management and related technologies are becoming baseline requirements for enterprise security practice and the cloud as an extension of that.
  8. Develop threat intelligence expertise. Unfortunately, everyone in IT, even end users, needs up-to-date threat intelligence to prevent becoming the next data breach headline. Know what your software assets are and keep up-to-date on vulnerabilities and threats that exploit those vulnerabilities.
  9. Every cloud-first initiative should include end-user security training. End users have emerged as a key weak link in enterprise security. With the proliferation of devices and Web, email and social communication, users are one click away from compromising themselves or your network. Mobile laptop users are further exposed since they have limited protection from the corporate network-based security mechanisms. Current defenses can be cumbersome to use and manage. All too frequently, employees are given administrator rights to enable their free use of any software. Unfortunately, this also gives attackers a leg up when going after information such as credit card numbers and intellectual property.
  10. Don’t be afraid to push security responsibility to lines of business. IT groups are stretched beyond their abilities to respond to and be responsible for the entire risk to the enterprise. Some groups are pushing responsibility for cloud usage security compliance to the line of business, with surprising results.
  11. Don’t mistake compliance with security. Auditing methods can’t keep up with today’s latest threats. Is your strategy too focused on passing audits and not actually protecting your data or mitigating threats?
  12. Are you being too risk-averse? Are you taking a lock-it-all-down approach that inhibits business growth, agility and opportunities? Risk is a spectrum; it is not binary. Make steps to clearly understand and agree to the risk of any cloud implementation.
  13. Clearly define your “crown jewels.” Is there agreement within your organization on what and where your most important data is? How much of it is there? Which applications and users have access to it? Who are the business owners? Which business processes, if any, rely on it? This will allow you to focus your resources on where it matters most.

There are many smart and talented people in the average IT organization. Cloud security is a relatively new domain, and many don’t understand the problem or the tools that are needed to solve the problem. To support cloud-first initiatives, customers should have a structured understanding of how to secure cloud workloads with industry-leading solutions. With the expanding adoption of cloud services, policy and control enforcement need not be contained within the confines of the organization. Third-party products are focused on bringing advanced and flexible cloud security technology to a broad customer base at reduced infrastructure costs and faster implementation times.

Dan Wolff
Director, Cloud Security Product Management

Dan Wolff is IBM’s Program Director for Cloud Security Product Management, responsible for driving new cloud security offerings from concept to launch by w...
read more