Over the last year or so, the “Cloud Access Security Broker” market, as defined by Gartner, has exploded (451 Research calls it the “Cloud Application Control” market). Cloud Access Security Brokers sit between users and cloud service providers to interject enterprise security policies as cloud applications are being accessed.
There is no question that the problem of securing data in the cloud is a real one. Cloud adoption brings operational benefits and efficiencies, but if cloud adoption enables any corporate data to be stored or shared, then it is the enterprise’s responsibility to provide security for that data. Yes, cloud service providers play a key role in delivering security, but as part of the shared responsibility model, they are not liable for access to and usage of the cloud application. In other words, IT has ceded control of the day-to-day application maintenance, but not security.
But, is it just me, or has the cloud community really confused the issue of what enterprises need as a SaaS security solution? As new Cloud Access Security Brokers emerge, there is a segment that wants you to believe that SaaS security should focus on the problem of shadow IT. Specifically:
• IT must understand use of cloud applications used without their explicit approval
• Existing security solutions don’t address the problem
• Risk rating of cloud providers is a credible way of gauging the security of the cloud application
There are even some analysts which state that the discovery of shadow IT applications is the essential first step in the planning process towards control of cloud application usage.
I beg to differ.
First, let’s be clear that in the context of SaaS security, there are actually two problems we are solving:
Problem #1 – “I don’t know what my users are doing with the cloud”
This is a visibility problem, particularly around access and acceptable use. Some enterprises may choose to have controls around certain applications (i.e. Block Dropbox), but the reflexive clamp-down controls represents a mentality of the past. Since IT’s new role is to enable, the knowledge you can gain from discovery of shadow IT applications can help you understand popular cloud applications that you may not be aware of and institutionalize them for the rest of the company. See Tal Klein’s article on Shadow IT and Christopher Mimm’s Wall Street Journal article.
But cloud security solutions that offer visibility and risk ratings into thousands of “cloud applications” do not solve the issue of securing corporate data in the cloud. They are essentially a “next-generation firewall + 1”, focusing on access to and from a cloud application, and some controls for data in motion but not the critical data within and usage of sanctioned or institutionalized applications itself.
Pretty dashboards featuring cloud risk ratings don’t solve the fundamental problem of securing your enterprise data. Knowing your user is using a cloud application with a great risk rating does nothing for you if your user is breached. Take the example of the “Code Spaces” attack where an attacker gained access to the AWS control panel and demanded a ransom. In this example, AWS would have showed up with a great cloud provider risk rating.
Problem #2 – “I need to secure corporate data within Google Apps, Salesforce, Office 365, Box and more”
This second problem is about managing the security of your cloud applications the same way you would on-premise applications. It is an essential part of IT operations once you have determined you will sanction the use of cloud applications. In other words, it is part and parcel of your IT team’s day to day responsibilities, and cannot be ignored. And, it is orthogonal to the discovery of shadow IT problem.
A cloud application security platform becomes an extension of your IT team. Consider how unique every single cloud application is, and all the various ways that data can be shared. For example, in Salesforce alone, you can upload CRM field data, attachments or documents. There are various ways to automate the data upload process, which makes the amount of corporate data within Salesforce significant. Instead of having an IT expert that has to understand the nuances of every single cloud application, a cloud application security platform serves that purpose.
The use cases are also very different from those in Problem #1. They are about mitigating risks and addressing pain points with cloud applications:
• How can I govern privileges and access by IT administrators and executives within the enterprise? IT administrators may misuse their privileges or be hacked as in the case of the Code Spaces attack described earlier. Executives may have unique access to sensitive documents that need to be tightly controlled.
• How can I govern company data that is being accessed by unmanaged devices that may be compromised?
• How do I address accidental data sharing, for example John Smith intending to share a file with a contractor but accidentally giving complete public access to it?
• How do I differentiate between a user’s normal usage pattern versus a malicious user who is downloading excessive information from my cloud applications?
• How do I identify high-risk usage within a cloud application that may lead to a breach?
• How do I detect suspicious incidents for example, a user logging in from a blacklisted IP or simultaneously from two different locations, and address this quickly?
Digesting the two problems
As with all things in life and the cloud, the first step is to define precisely the problem that you want to solve. There are two different problem sets in the Cloud Access Security Broker space, with two different solutions. Solutions that focus on discovery of shadow IT don’t necessarily do well with governing corporate data within sanctioned cloud applications. Understand what you’re trying to achieve with the cloud and then select the right solution.