Cloud Security: Trust And Verify
A survey of 1,200 IT decision makers in eight countries including Australia, Brazil, Canada, France, Germany, Spain, the UK, and the US conducted in June 2015 found that within approximately 16-months 80% of the enterprise IT budget will be spent on cloud services. According to the report released by McAfee, Part of Intel Security titled Blue Skies Ahead the state of cloud adoption, researchers did note variation between countries, with quicker migration to the 80th percentile in Australia and Brazil at 11-months and 12-months respectively. The U.K. was the laggard in reaching the 80th percentile at 28-months.
Survey respondents also shared the types of cloud services that will garner a piece of their IT budgets. Surprisingly, software as a service (SaaS) did not represent the largest area of growth in future enterprise IT spending. Infrastructure as a service (IaaS) was mentioned by 81% of the respondents followed closely by security as a service (Sec-aaS) at 78%, platform as a service (PaaS) at 69%, and only 60% mentioned that SaaS would capture a share of their future IT budgets. This survey illustrates that as the use of cloud services becomes even more common in the enterprise, providing security for people’s data will take on an increasingly larger role.
An even more recent survey of 485 IT professionals conducted by SANS in September 2015, titled Orchestrating Security In The Cloud, noted that 40% of the respondents stored or processed sensitive data in their cloud environments. The survey displayed the IT professionals’ primary concerns included a lack of control over access to data, geographic location of sensitive data, compliance, and visibility of security controls built into an organizations’ public and hybrid cloud environments.
Business intelligence and financial and accounting information were the most common types of data that respondents are storing or processing in the cloud, each reported by 52% of respondents. Another 48% store or process employee records and 40% store customers’ personal information.
Based on these survey, results it’s obvious that a majority of enterprises are storing vital information in the cloud. It’s likely that many IT professionals are aware of the multiple breaches at Target stores where payment card data was stolen. Or, they may have heard something about hackers attacking health care organizations causing one patient to receive a $20K bill for surgery he never received.
Before other enterprises move additional data into the cloud they may want to review what occurred with a smallish enterprise of 10-20 employees named Code Spaces in 2014. Code Spaces was an entrepreneurial startup with revenues of approximately $2.4M that provided source code repositories and project management services for developers using distributed control systems. Having been in business for seven years, Code Spaces had built up an impressive customer base. In less than one day’s time, a hacker attack ended everything. According to multiple news reports, a hacker took over Code Spaces control panel provided by Amazon web services (AWS). The hacker attempted to extort a large sum of money to relinquish the control panel and enable Code Spaces to regain access to the site. Code Spaces did not succumb to this extortion request and instead tried multiple times to regain access using their own methods. The hacker responded by deleting almost all business data, local backups, machine configurations, and off-site backups. Eventually, through various efforts Code Spaces recovered access to the AWS control panel and posted a message that read, “We finally managed to get our panel access back but not before he had removed all EBS snapshots, S3 buckets, all AMIs, some EBS instances, and several machine instances.” Code Spaces ceased operations shortly after the hacker attack.
What a very frightening story but this couldn’t happen to your organization. No, you’ve got backups of backups. You’ve got a team of IT pros in their suits of armor ready to defend your data castle against all evil forces.
Well, for everyone else, a new category of security experts, cloud access security brokers (CASB), are emerging and Gartner predicts in their December 2015 report, How to Evaluate and Operate a Cloud Access Security Broker, that by 2020 85% of large enterprises will use a CASB solution up from 5% in 2015. Cloud Access Security Brokers is a term coined by Gartner to describe a particular set of cloud security solutions that provide an integral layer of cloud cybersecurity centering around four main pillars: visibility, compliance, data security, and threat protection.
Gartner recommends the following for IT professionals that manage cloud security:
- Use the Gartner CASB framework to structure their CASB strategies and evaluation criteria, including continuous cloud access discovery, verification and protection.
- Initiate CASB deployments with discovery/risk assessment ratings of the cloud services in use.
- Use the continuous visibility provided by most CASBs to help standardize on the best cloud services for the organization and to apply consistent security policies.
- Choose multimode CASB solutions that offer a variety of in-line and API-based visibility options.
- Extend sensitive data-monitoring processes to cloud-based services and look to integrate cloud data loss prevention with on-premises DLP efforts.
- Shortlist the security solutions they’ve already deployed, which may include CASB capabilities that meet their requirements, such as firewalls and secure Web gateways.
As enterprises continue to evolve and morph during this time of innovative disruption, one thing is certain; the days of isolating all data behind an impenetrable wall hidden from the outside world is not practical or profitable. Smart companies are researching and deploying the best cybersecurity processes and technologies to preserve and protect their customer’s and their organization’s data. After reading this article you may want to re-evaluate the emphasis you’re placing on cybersecurity within the organization and determine whether it makes sense to enhance the in-house IT security team or outsource this function to a specialist like a cloud access security broker.
Randall Smith – StratoSTACK Product Manager
Illustrations and Copy Edit: Jaime Baldwin- StratoSTACK Digital Media Specialist