Cloud service brokers help direct you through the traffic

With so many cloud service providers that run the gamut from first-rate to not well known, navigating the cloud territory can seem as daunting as hitching a cart to a horse and heading west. No, moving to the cloud is not the same as the manifest destiny that drove people out west, but both the cloud and the westward expansion promised great expectations.

Over the last 18 months cloud migration has been as aggressive as the westward movement in early 19th century America. Instead of horses and buggies, the virtual sky is littered with clouds like a traffic jam in a Jetson's episode. Organizations need to know what to look for in a provider to make sure that their cloud service lives up to their expectations.

In many ways, cloud delivers on its promises, though there are recognizable gaps depending on the service providers. Rich Campagna, vice president of products at Bitglass said, "We are seeing up to date modern applications that are available anywhere. From a security standpoint, we are starting to see where cloud is living up to its expectations and where some vendors are not."

Where security does not live up to its expectations can depend on the cloud service provider, but the enterprise remains ultimately responsible for any compromised data.

Jim Reavis, co-founder and chief executive officer at Cloud Service Alliance, said, "From a security perspective cloud companies that do security well are doing it very well, but a lot of cloud companies--and there are tens of thousands of cloud business services--are not well known." Those companies that are less recognizable can sometimes provide less satisfactory products.

"There are issues of uncertainty," Reavis said, "and sometimes security is not as well vetted. Some companies don't have enterprise type features or don't have a lot of security certifications."

Reavis said, "You need to look at how data is being managed. Is it being protected? Stored in alignment with any regulations? You don't have the indirect attacks where cloud users get phished, but a lot of risk is about data." Accessing data or not being able to access data is a potential risk, but data can also be compromised in the cloud depending on the cloud business servicers.

While cloud may work as a superior product for some organizations, there is no universal application that fits for all companies. From accessibility to security and everything in between, companies can make informed choices if they ask the right questions when deciding on which service provider is best for them.

Dave Cole, chief product officer at CrowdStrike advised that when moving to cloud, "make sure you are using cloud for the right reasons." Asking need-based questions, said Cole, is important in determining the right services. Vendors should be able to answer questions like, "exactly what data are you sharing? How is it being protected? What type of certifications have you achieved?" Cole said.

What are the benefits of cloud?

The ease of access to information without having to have infrastructure on premise is a notable advantage of moving to the cloud. "In the middle of an incident or breach, you don't have to deploy a server anywhere, and in the midst of a breach time is critical," said Cole. But shifting the server from on premise to a cloud service provider is about more than saving time during an incident or breach.

In addition to allowing employees to work remotely, "cloud means we have the ability to have employees anywhere working from any device and still have extreme visibility into endpoint," Cole said. This extreme visibility is also beneficial with BYOD as the cloud can see to the end point on any device.

For a lot of organizations, cloud both meets its expectations while also presenting some new challenges. Morey Haber, vice president of technology at Beyond Trust, said, "For SaaS and for extending QA and development, cloud has lived up to its expectations. But in some ways it hasn't. Specifically, for extending the data center, it has been problematic and presented new challenges for organizations."

The convenience factor and the ability to expedite access and response are great assets, but companies need to know security remains a concern in the cloud. "We have a demo lab, we use a cloud for that. We don't worry about anything. The convenience, the stability, the backup, I don't have to worry about any of that," Haber said.

Cole agreed that while cloud offers complete visibility, risks remain when it comes to "proliferation of services and adding layering on top of that. There are issues with policy and data leakage." As the landscape of the cloud continues to expand and evolve, corporations need to understand the policies that are used to secure and collect data.

For companies that are still in the midst of migration to the cloud, the idea of needing another measure of security can seem overwhelming. They have done their due diligence, analyzed their risk assessments, and determined that now is the time to move to the cloud. Just as they've transported their sensitive data, they are being told the cloud might not be enough.

Is relying on the cloud security enough, or should cloud and CASBs go hand in hand?

Harber said, "Anybody considering using the cloud for whatever technology--always try to grade or rate the sensitivity of the data they are placing in the cloud because that will gauge the risk and liability."

Cloud access service brokers afford organizations extended security for their devices and networks, but whether companies need a CASB or not is based on risk assessment.

Campagna said, "CASB a central point of visibility control that an organization can put in place to protect any cloud applications they wish. The CASB will build controls from embedded trackers to applying encryption to outright blocking of a transaction or redaction of information so that there is not a compliance exposure."

Data and information is all over the place. When data goes into the cloud, it essentially is sitting on someone else's computer. "Now all sensitive data is stored on somebody else's computer--a black box, and you don't know how its protected," said Campagna.

[ ALSO ON CSO: 14 tips to secure cloud applications ]

Where the physical environment protected on premise infrastructure, that barrier is obsolete in the cloud. Campagna said, "What's different is that literally anyone can login to a cloud door and get access into the application. Can we guard that front door--data access firewall so to speak."

Not only can anyone access the cloud, but cloud data gets synced down to devices. Campagna used a hypothetical example of company X that just deployed box. "Employees are going to download the box app onto all their different devices, and now a cloud problem has become a mobile access problem," Campagna said.

"Anyone that has sensitive data to protect and is moving to the cloud has the potential need for a CASB. They have sensitive intellectual property that they want to protect," Campagna said.

Any reasonably sized organization has some amount of information assets that they want to safeguard. "At the very least, a CASB is a good solution for getting visibility into external file sharing, for example," Campagna said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cloud Service Alliancesecuritycloud security

More about CrowdStrikeCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place