Dave Shephard, Vice President APJ, Bitglass, asks now that business apps and data are in the cloud, if IT teams can achieve the same level of visibility and control they had for on-prem IT.
Most cloud access security broker (CASB) conversations in Asia-Pacific are about data protection. This alone represents progression in thinking from as recently as 18 months ago, when Shadow IT discovery and reporting remained high on the CASB requirements list for many customers.
It seems that the shared responsibility model for cloud is well understood, with most now acknowledging public cloud as a safe place to do business – assuming an organization understands how (and has the controls available) to use public cloud securely.
And that’s a pretty big assumption. Even before COVID, the use of any device connected to any network, from anywhere in the world, to do our work was relatively normal.
The pandemic response has seen an accelerated adoption of remote working, BYOD and cloud-first strategies, making security architectures intended for managed devices, corporate perimeters and the enterprise data center, appear outdated and ineffective.
Let’s put it another way. Placing data security hopes in the hands of tools like mobile device management (MDM) and endpoint data loss prevention (DLP) while we architect for users to have direct access to the Internet and cloud is not a great strategy.
By all means secure managed endpoints how, when and wherever possible, but if data protection is important, securing cloud apps is as important, perhaps even more so, and that is beyond MDM.
Here’s why: Enterprise IT has been flipped inside-out. More and more data is created in – and lives in – the cloud than in the enterprise data center. Many more users are outside of the firewall than behind it.
Cloud has been purpose built for ubiquitous access. With the right credentials, it’s reasonable to assume that any device on the Internet can be used to access cloud apps and cloud data, unless organizations can implement policies to manage otherwise.
If users can simply pick up an unmanaged device and bypass controls, then those controls are pretty weak. And we’re not only talking about employees using shared PCs or personal devices.
Every hacker and cybercriminal is using an unmanaged endpoint, connected to an unmanaged network. Now that business apps and data are in the cloud, can IT teams achieve the level of visibility and control they had for on-prem IT? Would they even know if files containing malware were being uploaded, downloaded or shared?
Their MDM won’t save the day, and information from API integrations are after the fact; e.g. they report the news and don’t prevent the incident.
Here’s a quick cloud security checklist. Today, are users able to:
- Access corporate cloud apps from a personal or home PC?
- Manage and control how sanctioned cloud apps can be accessed – by device, group or location?
- Apply adaptive rules, where changing conditions are met with different access policies? (e.g. request MFA)
- Implement DLP policies according to access conditions? (e.g. block downloads to unmanaged devices)
- Scan files from unmanaged endpoints destined for cloud apps to detect malware?
- See when access to cloud apps is being attempted from untrusted locations? (e.g. countries where the organization has no employee presence).
- Block access to cloud apps when legitimate credentials are being used, but the access attempt is from untrusted locations? (compromised credential, password guessing attack etc).
Organizations that are keen to discuss or learn more should seek a CASB that provides in-line and real-time (as well as out-of-band) visibility and control capabilities.
They should ensure that the solution encompasses access control, DLP, threat detection and malware scanning for any app, on any device, from any network.
Click below to share this article
