Cloud adoption is trending—and it is an inevitable choice for any enterprise that wants to stay relevant in today’s interconnected world.
The security of storing and processing critical data outside of the enterprise’s control is a central factor to the analysis of cloud adoption.
So whether your organization employs a cloud-first strategy or is still sitting on the sidelines of the cloud game, there are three key steps to understanding what risks the cloud poses to your data.
- Assess your current cloud usage. What cloud services are your users already using to do their jobs? Security leaders should sponsor a project to inspect all network traffic using a web proxy server or cloud access security broker (CASB) to fully identify your enterprise’s app consumption. The next step is differentiation between enterprise-sanctioned apps and rogue shadow IT apps. The prevalence of shadow IT is either unknown or underestimated by the IT departments at most enterprises. The mounting risks from decentralized and uncontrolled cloud service adoptions for the gamut of enterprise applications has left CIOs wondering how to best assess the extent of shadow IT services that have migrated to the cloud without any adequate control measures or oversight from IT. While these shadow IT systems may have served as a quick win to the business when implemented, the legacy impact of these cloud solutions is redundancy and an increased attack surface throughout the enterprise. As surveillance and data leakage concerns continue to haunt consumers and businesses alike, security due diligence of cloud solutions is paramount.
- Adjust your strategy to reduce cloud risk. There may be significant cost and efficiency gains possible by moving select services to the cloud. Risk reduction measures should be evaluated concurrently to securely scale your cloud adoption. Consider cloud identity management solutions for single sign-on to enable centralized access controls, including multifactor authentication options. Further, automated user provisioning will inject security into your application portfolio management. Another recommendation to security leaders is to leverage a layer 7 next-gen firewall for web traffic classification and control. This visibility will allow you to block risky, nonbusiness apps, such as peer-to-peer sharing, or restrict quasi-business apps, such as file sharing services, to only privileged users/groups with a demonstrated need.
- Plan your future cloud model. Whether your business users want to consume Software as a Service (SaaS) solutions or your IT infrastructure teams see value in Infrastructure as a Service (IaaS) offerings, there are many ways to mitigate your risks while satisfying both sides. Advanced security analytics, data context and application auditing made available by CASBs can enable deep integration into many foundational enterprise apps (Office 365, Google Apps, AWS, Azure). It is also imperative to formalize your application risk assessment when choosing between cloud-based SaaS and increasingly available on-premise SaaS solutions for those critical services that your risk managers cannot bless to the cloud. Some niche cloud service providers (e.g., Github, JIRA) also offer on-premise options to customers, and new Docker container technologies (Replicated) are now allowing vendors to offer the same SaaS experience, but delivered on-premise, in an effort to keep a better handle on enterprise data and security. In the ultimate decision of cloud adoption, your future cloud model may well be sitting behind your own firewall.
Gary Miller, CISSP, CISA, CIA, CRMA, CCSA, ITILv3
Senior Director of Information Security at TaskUs
Note: Gary Miller will present on shadow IT risk and cloud governance at ISACA’s 2016 North America CACS conference in New Orleans, 2-4 May 2016. To learn more from him and other expert presenters, register here.
[ISACA Now Blog]