Cloud Application Security
Many organisations assume they don’t need to worry about cloud application security as they aren’t using the cloud.
But just because you aren’t using Microsoft 365, it doesn’t mean you’re not in the cloud. The average company uses almost 1,000 cloud applications and yet there’s a lack of awareness about what a cloud application actually is.
Simply put, a cloud application is pretty much everything your employees are doing in their web browser to do their job, and facilitates sharing or attaching the information that could end up going anywhere beyond the control of the company.
LinkedIn, Salesforce, WhatsApp Web, Google Drive, and the list goes on.
If any business isn’t already using the cloud in some capacity (and there can’t be many!), then digital transformation will almost certainly come knocking at the door in the next few years. Conducting an evaluation of cloud services and formulating a cloud application security strategy will be crucial. Those organisations who have no cloud strategy in place yet, despite using cloud apps, would be well advised to put one in place.
A recent survey by Microsoft found that 77 percent of organisations see cloud security as a challenge when it comes to using the cloud, with 29 percent seeing it as a significant challenge. And it’s easy to see why.
We’re all well aware that people are often the weak link in security and prone to doing things they shouldn’t, sometimes by accident and sometimes on purpose. The cloud significantly increases the risk of, for example, an employee sharing sensitive documents with people they shouldn’t over Facebook Messenger.
In fact, research we conducted showed that nearly a quarter of people are using messaging apps like WhatsApp, Telegram and Facebook Messenger to share work documents, while 16 percent used Dropbox, Google Drive, or similar to take company information to a new job. For this reason, control and visibility are absolutely crucial at every stage of the cloud security journey.
First and foremost, businesses need to get an understanding of what cloud services and apps are already being used. As most IT managers are all too aware, employees have a habit of using unsanctioned apps to make their jobs easier, so-called ‘shadow IT’.
We’re of the view that people should be able to use whatever they want to do their jobs and if that means talking to clients over WhatsApp Web, let it be. A cloud application discovery process, however, is absolutely critical to uncover exactly what is being used and how. Knowledge is power after all. Once you have an understanding of the apps used in your workplace – sanctioned or otherwise – you can then manage them.
Not all apps are created equal though and some are riskier than others. Armed with your list of apps in the business, you should start implementing cloud application security policies for the riskiest apps. This tends to include things like cloud storage, team collaboration apps and messaging platforms and anything else that offers file sharing.
While it would be simple enough to block those that aren’t 100 percent necessary, that’s not going to be a popular approach with employees. Instead, you should limit what actions can be taken and by who. Not everyone needs to be able to download and edit the new business pipeline, for example, so that should be restricted functionality for those who absolutely need it.
The same process can be conducted with any cloud infrastructure, not just apps. If your team is using Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) solutions then reviewing how they are used and what actions can be taken is also important.
Misconfigured cloud services overtook hacking as the number one source of data loss in 2017, so having a robust cloud security strategy in place will save trouble down the line. As an added bonus, you may well also see a cost benefit when you uncover underutilized storage!
Tools like a Cloud Access Security Broker (CASB) provide all the visibility and control you need, allowing you to monitor user function and interactions and restrict actions as needed. Rather than a risk, the cloud quickly becomes a business enabler with a cloud application security solutions in place.