In today’s rapidly changing IT world, business users in your organization are going to seek the agility and increased capabilities of the cloud whether or not your IT operation sanctions it. So your efforts to provide IT security in the cloud need to start with embracing that fact and working to build secure practices from there.
In EMC’s Global Security Organization, we found that the best way to secure the cloud is to actually become a part of it rather than trying to fight it. As a part of the solution, you can build better, secure offerings that will allow you to protect your data and get a better experience for the user.
For the past nine months, GSO has been identifying shadow IT applications (or business-managed IT) in the cloud using a security monitoring appliance, RSA NetWitness, in conjunction with increased security analytics. This gives us a comprehensive view of our network traffic, including shadow IT. And rather than blocking those shadow users from continuing their cloud-based operations, we work with them to provide IT-controlled solutions that will still serve their business needs in a secure way.
The message we are striving to promote is one of helping as opposed to policing their efforts. We are giving users the same functionality, but with the ability to manage it and protect EMC’s data.
After all, IT security is no longer securing the perimeter of your IT environment to keep bad guys out and sensitive data in. Users are working in the cloud and accessing data from outside your organization’s walls, so IT security needs to shift its strategy away from setting standard internal system controls to building governance and insights to control access to the cloud based on user identity and authentication.
A gatekeeper, not a roadblock.
We need visibility into traffic and resources, and the ability to inspect the traffic, understand what it is, and put security policies around it. If it is sensitive data, you may want to block certain traffic. Or you can make sure those accessing sensitive data are doing so from IT-managed devices and that information is encrypted.
Our vision is to have a layered, risk-based approach to allowing access to cloud resources. The risk-based model we are developing is based on the following user criteria:
- What device are you using?
- Where are you coming from?
- How are you getting here?
- Where are you going?
- What’s your history?
If a user would like to access publicly available data from their mobile device, access requirements will be minimal. However, if a user is seeking access from an unfamiliar location based on our data, we may want to step up authentication requirements to validate their credentials. When it comes to cloud security, one size doesn’t fit all.
With today’s advances in Big Data and analytics, we are also devising a process to use security analytics to review logs and traffic to determine the effectiveness of our security policies. Are we allowing too much traffic in some areas? Are we blocking too much traffic in others? Maybe we need to combine one policy with another to get better results. We are currently evaluating policy changes using Big Data information.
Understanding your data
One of the first steps your organization needs to take in order to create a risk-based approach to securing cloud access is to understand your data. That means classifying your data in terms of sensitivity and establishing employee roles in regard to data access. You can then use classification to put controls in place around your data to establish access models.
Managing the lifecycle of user access is critical. We have a fully-integrated identity access management tool so we know when people change roles or when they leave the company and their identity has been removed from the network.
Setting up integrated authentication for accessing resources is one of the first things IT would do in launching a new IT project in the cloud. However, shadow IT users don’t necessarily take that step. They often set up various passwords and processes as they use non-IT cloud solutions. So one of the first things we look at when we begin working with business users to secure their shadow cloud operations is how we can integrate that identity into our management process.
It isn’t about trying to turn these applications off and hampering business users, it’s about working with them to find best practices in managing their cloud—identity access management, governance, and access roles. For us, it’s creating the visibility into the cloud and helping them understand what’s going on.
We still have a long way to go. But I feel better than I did last year when my only tool was blocking cloud applications. Whether we are dealing with private, hybrid or public clouds, we want to create a seamless experience for our users with an adaptive, but secure policies that protect our organization.