From Dropbox to Twitter to WeTransfer and Salesforce, the use of cloud-based applications has become an everyday part of the modern business ecosystem. Research has shown that the average employee uses a staggering 27 apps at work.[1] To accommodate this trend, most companies are now deploying cloud-based solutions; the expectation being that by 2018 around 59 per cent of companies will be using software-as-a-service (SaaS).[2]
As the understanding of the cloud has matured, progressive organisations have started to adopt enterprise applications that are tailored to the meet the needs of their business. However, these businesses still rely on security products that were designed before the onset and global expansion of web applications. As a result, they are unable to meet the demands and complexity of the modern and mobile work environment.
So where does this leave businesses and their overwhelmed IT departments?
CIOs and IT departments are under increasing pressure to provide employees with reliable and secure web access across all devices, whilst controlling the use of cloud applications – all without compromising data security and preventing the spread of Shadow IT.
Part of the reason the growth of cloud applications has posed such a challenge and threat to traditional web security is because often users are unaware of the risks associated with sharing and uploading information. Research has shown that 43 per cent of C-level executives say negligent insiders are the greatest threat to sensitive data.[3] Instead of going through the red tape of IT procurement, provisioning, testing and security, employees are quick to download the latest app to access or share data. However, such a quick fix can have damaging implications on a company’s most valuable corporate assets – its intellectual property and brand reputation.
Discover, analyse and control
Now more than ever, organisations need to be able to monitor an individual’s use of corporate assets at the most basic level, regardless of whether users are in-office or mobile. Cloud application control (CAC) software can provide businesses with visibility and the ability to discover, analyse and control the information staff are accessing or sharing. With businesses under pressure to provide staff with access to the latest innovations, security becomes even more important.
The ongoing consumerisation of information technology is creating a Shadow IT community; a community which CIOs have little or no control over. ‘Everything-as-a-service’ presents the opportunity to buy localised cloud apps that complement or replace corporate on premise system software, with most users opting for familiar branded apps under the false pretence that it is safe. With apps like Dropbox being quick to download and easy to use, it is not a trend that is going to disappear any time soon. If you can deploy an app in seconds to get the job done without the delay of following IT regulations and security, then why not?
The problem is that most apps are generic; created to service a mass market with only a basic level of security. As more companies embrace cloud applications to replace on premise legacy systems, they must be aware of the potential security risks.To successfully apply security and privacy settings, businesses need greater visibility and control of enterprise data in the cloud that is accessed using both company managed and bring your own devices (BYOD).
A fresh approach to security
In order to cope with the exponential rise of the app, data and cloud market, today’s web security solutions must offer CAC capabilities beyond the traditional security functionality. Security should extend beyond the web gateway and address the fundamental gap that resides between traditional web security and content filtering to secure the way in which we use apps today. Gartner agrees; by 2016 25 per cent of enterprises will secure access to cloud-based services using a cloud application security broker (CASB) platform, reducing the cost of securing access by 30 per cent in the process.[4]
Ideally CAC should truly ‘follow the user’ by monitoring all actions. It should encourage the use of cloud apps and services while keeping company assets secure. This requires the ability to analyse the risk, audit and log all usage to maximise visibility at the time an issue occurs, rather than acting as a forensic tool post-event.
If businesses continue to use outdated web security solutions, how can they protect against an employee posting damaging or libellous comments about the company, or publishing sensitive commercial data on their feeds or uploading them to other cloud apps? The answer is they can’t. Traditional web security could only tell a CIO that a person has accessed the application, rather than details of the content or the post itself. As cloud application adoption continues to gather momentum, organisations need to step up to the challenge and embrace the advances that CAC functionality brings – or face the repercussions.
By Ed Macnair, founder and CEO of CensorNet
BIO : Ed Macnair, CEO and Chairman of cloud security specialist, CensorNet has over 30 years of sales and business development expertise in the technology and IT security world. Ed led the acquisition of CensorNet in October 2014 with the aim of accelerating the company’s product development and aggressively growing web security revenues through its global channel partners and new partnerships with managed service providers.His experience in cloud security is unquestionable: he was previously the founder and CEO of SaaSID, a UK based single-sign on and application security vendor, which was acquired by Intermedia Inc. in September 2013. Before Intermedia and SaaSID, Ed was CEO of Marshal, a global web and email security company which merged with US web security provider 8e6 Technologies to form M86 Security. He also held senior management positions with MessageLabs, Symantec, IBM and Xerox.
- Data gathered by SkyHigh Network
- Cisco Global Cloud Index: Forecast and Methodology, 2013–2018.
- According to data breach statistics from IBM
- Data gathered by research firm Gartner
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.