According to ESG research, 63% of mid-market (i.e., 250 to 999 employees) and enterprise (i.e., more than 1,000 employees) are currently using software-as-a service (SaaS), 33% use infrastructure-as-a-service (IaaS), and 27% employ platform-as-a-service (PaaS) today. Additionally, 72% of all firms are increasing their spending on cloud computing initiatives this year. (Source: ESG Research Report, 2014 IT Spending Intentions Survey, February 2014.)
Wasn’t IT risk supposed to put the brakes on cloud computing deployment? Security professionals are still quite concerned. In an ESG research survey, infosec pros identified numerous cloud security risk areas as follows (Source: ESG Custom Research, IaaS Security Survey, September 2013.):
- 33% of enterprise security professionals cited a lack control over security operations directly related to IT resources used for internal purposes.
- 31% of enterprise security professionals cited privacy concerns over sensitive and/or regulated data stored and/or processed by a cloud infrastructure provider.
- 29% of enterprise security professionals cited lack of security visibility into cloud services infrastructure.
- 28% of enterprise security professionals cited a security breach that compromises our cloud service providers’ infrastructure.
- 27% of enterprise security professionals cited poor infosec practices at our cloud service provider(s).
These are clearly legitimate concerns (the kind that keep CISOs up at night!), yet it seems like the proverbial horse has left the barn on cloud computing. Enterprise organizations may be proceeding with caution, but they are proceeding nonetheless.
To me, this represents a “no compromise” situation – organizations want to use SaaS, IaaS, and PaaS for financial and business benefits. To do so, security professionals must figure out a way to enable the organization to do so without adversely impacting IT risk.
Okay, that’s easy for me to write about, but how is this actually done? So what’s needed here? In a world where IT control is waning, it’s imperative that CISOs gain better control over what they can. In my mind, this comes down to a few critical priority areas:
1. Identity. Regardless of where applications and data reside, the organization has to know who is accessing these resources, which devices they are using, where users are located, etc. They also need to update this knowledge continuously (i.e., real-time updates) and absolutely (i.e., non-repudiation). Identity oversight should be viewed in an “any-to-any” context, meaning that I need to know about any user (i.e., employee or 3rd party), any device, any network location, any time-of-day, etc. Additionally, I need business context here, meaning I need to know that John Smith is trying to access the financial data base from a public network as well as the geeky assortment of IP addresses, MAC addresses, and DNS lookups underneath. Bridging identity to cloud (and mobile) applications has become a big opportunity for firms like Centrify, ForgeRock, Okta, and Ping, as well as stalwarts like McAfee, Microsoft, and RSA Security.
2. Data. Cyber-adversaries can launch DDoS attacks to take down my IT assets, but most are really after the data itself. Therefore, I better know where it is, how sensitive it is, and who is doing what with the data itself. This is the domain of companies like CloudLock, Ionic Security, Symantec, Varonis, Verdasys, and Vormetric, but there is plenty of room for others as well. As I mentioned in a recent blog, this is where I’d be investing if I were a VC or large security vendor like Check Point, Cisco, HP, IBM, Oracle, etc.
3. Visibility. As CISO, I need to know about everything – what’s happening on my internal network, what’s happening on endpoints, what’s happening in the cloud, etc. Furthermore, I need internal and external situational awareness from a number of different angles. For example, I want to understand risks associated with my business partners and cloud providers (i.e., BitSight, NetSkope, Sky High Networks, etc.). At the same time, I want to look at log data, web sessions, and network packets as workloads move from server-to-server across internal and cloud provider networks (i.e., CatBird, CloudPassage, HyTrust, vArmour, Trend Micro, etc.). I also want to access to threat intelligence that foretells any trouble with internal IT, my industry, or my cloud provider partners (i.e., Norse, Vorstack, Webroot, etc.). I’d also like central command-and-control but that’s a different topic for another blog.
There is one other requirement more important than these three areas alone: Managing IT security today requires a consistent and complete purview over ALL IT assets, networks, transactions, etc., regardless of whether they live on-premises or in the cloud. This may come from a federated approach (most likely) or a single-pane-of-glass across the whole enchilada (a long shot), but as CISO, I need integrated visibility across everything.
I have no doubt that cloud computing will consume more and more of the IT pie, but most organizations will still have lots on in-house resources for a long time to come. Bridging these environments is certainly the key to success, but savvy CISOs will build as few bridges as possible and focus on bridging their most important oversight and visibility gaps.