According to the Ponemon Institute, cloud applications are a significant security concern for organisations, with 71% of global IT professionals believing the challenge is harder to face using existing, conventional security tools.
Disregarding those who still don’t even know that they need to be aware of the risks, the majority have since cottoned-on to the necessity of having comprehensive visibility of cloud apps across all users.
There are all sorts of reasons why cloud app visibility and discovery are necessary. For instance, many organisations have been able to gain a picture of ‘shadow IT’ that has enabled them to bring previously unsanctioned apps into the corporate fold, or help users to find preferred alternatives. Most importantly, it is a vital first step in addressing the security challenge. After all, you can’t secure what you don’t know, and you have to start somewhere. Identifying cloud use and mitigating the risks is especially critical with data protection laws evolving and the increasingly negative consequences of failing to achieve compliance.
Unlocking Pandora’s box of cloud apps is a real eye-opener
Gaining that visibility is enlightening to say the least. Typically, in CensorNet’s experience of working with organisations yet to embark upon the discovery/visibility process, a CIO’s starting estimate will be perhaps 30 to 40 cloud apps in use by employees: “Less than a hundred, anyway,” is a fairly standard response. In reality, the average organisation will use more like 1,000 across their business – and that’s when the scale of the problem starts to become apparent.
If 1,000 sounds like an implausibly large number, consider how low the bar is to qualify as a fully-functioning cloud app. We are talking about anything that any given employee interacts with via their browser; sharing or attaching information that could end up going anywhere beyond the control of your company’s IT.
And that’s the issue; plenty of visibility and not enough control. Like having a crystal-clear windshield and dashboard in your car, with no means of changing speed or direction! Many European organisations are still at this first stage of cloud application security.
There’s a hole in my (S3) bucket
With ‘accidental online leaking and misconfigured services and portals’ overtaking hacking as the no.1 cause of exposed data records back in 2017, we’ve seen no signs of this letting up. Even with the large scale breaches of 2018, accidental online leaking is likely to maintain the no 1 position throughout the coming year; particularly as, it seems, administrators have trouble in correctly configuring even high-profile services like Amazon S3 and repeatedly misconfigure storage buckets exposing sensitive data at scale to the internet at large.
Resolving this problem is made more difficult as IT departments around the world continue to encounter skills and knowledge gaps in cyber security, as the number of job vacancies for security pros outstrips demand by several million. Even then, security professionals don’t always have the answers and can be forgiven for struggling with the extremely dynamic, elastic nature of cloud services and the rapidly changing usage habits of company employees.
The worst apps are the best ones
Looking inside your list of 1,000 or so cloud apps, some will appear ‘riskier’ than others. In other words, ‘at greatest risk of data exfiltration’. These invariably include any cloud storage, team working apps and messaging platforms – as all promote file sharing functionality. Using this definition, you’d also have to lump in your cloud CRM system as among the highest risk of all.
It would be easy enough to identify these and block them once and for all, thereby mitigating the associated risks. But it’s hardly a business-friendly approach! Imagine kissing goodbye, overnight, to your OneDrive, Dropbox, Google Suite, Slack, WhatsApp and Skype for Business, let alone something like Salesforce.com!
Evolving web security to take back control
What we know is that visibility and discovery are no longer enough – it’s time to take back control. And the good news is that cloud application security needn’t be overly complicated. As we’ve gone from the static websites of the past to the ever-increasing interactivity we get today, traditional web security approaches need only be evolved to a logical new state to cope with the shift.
In simple terms, the foundation of visibility provides valuable intelligence that an added control function can act upon. Doing so successfully rests on what your definition of successful is. Do you want to stamp out all risk whatever the cost, or optimise productivity in a secure way?
If it’s the latter, then organisations are better served by applying risk levels to the many hundreds of possible actions within the app, rather than assign risk to an entire cloud application. With these understood, individual users are restricted to specific functions relevant to their role and individual need. Not everyone needs to edit or download files. For many users just being able to view content is enough. This ensures that the manifest value of cloud apps is maximised in the most appropriate way for that given user, in the context of the unique risk framework developed for the organisation.
Remember, this purposeful approach to visibility and control isn’t about neatening up a tiny aspect of your cyber security concerns; it directly combats the no.1 cause of exposed data records which – in turn – underpins data protection governance and compliance. Don’t just look at the road ahead, grab the steering wheel too…
