Today an important trend is to bring full visibility to the complete enterprise cloud infrastructure. Put differently, there is so much shadow IT and the accompanying silent acquisition of cloud-based applications that neither IT nor the security operations team has complete knowledge of the true extent of the extended enterprise. In response, IT teams are using tools that can provide automated discovery of shadow IT and the cloud resources being used. The average enterprise has over 500 clouds of varying sizes, yet, in our estimate, the IT team only has complete knowledge of only a percentage of them. Once discovered, these cloud resources should be evaluated on their potential risk to the organization and appropriate actions should be taken to reduce risk and exposure.
These multi-cloud environments bring two major problems to large enterprise and government. The first is that of providing adequate data protection and threat protection. The second is doing this in a way that is transparent to the end user experience while also being compliant with the large backdrop of growing global regulation and compliance requirements.
Most enterprises have already deployed many critical vendor provided applications as well as their own custom applications to dozens to hundreds of clouds. In support of custom applications, cloud providers have offered a sometimes bewildering array of varying software stacks, configuration capabilities, different degrees of provisioning, different data center locations, and more.
Your SaaS application cloud providers present the application and try to take responsibility for securing their infrastructure. Some have added features such as database encryption, but, upon close inspection, you can see it will not meet your needs as a multinational that must be compliant with GDPR, data residency regulations, HIPAA, PCI, GLBA, and much more. Or when this SaaS vendor-provided encryption is used, functionality in the product is missing, or, even worse, certain fields that contain sensitive data are not protected. All of this presents a major administrative nightmare – there is too much risk and too few resources to address this adequately. You need to administer a growing list of proprietary cybersecurity dashboards, not by SaaS application, that are all different, and, in the case of encryption, almost wholly ineffective. Respectfully submitted, your selected SaaS companies may build great applications, but on a good day, cloud security is just not their area of expertise.
The solution? You must bring order to securing all of these different environments through one consistent approach that works with all of them. This consistent approach to security must be complete – you must secure the data at rest (in the database), in transit (moving through any network), and in use (on the workstation or platform where your application is being accessed). You must automate the encryption and tokenization of data before it is delivered to the cloud provider to ensure that any problems that happen while the data is in the cloud do not result in a breach.
Compliance is another considerable challenge that has moved to the forefront of issues impacting multinational companies and multi-cloud environments. Compliance requirements generally require that all data protection and threat protection include a comprehensive strategy for key management. Encrypted data can be decrypted through the use of the data encryption key. This data encryption key cannot be allowed out of your most secure locations and must be separate from the cloud-based data and applications. You must make iron-clad provisions to manage data residency, when required, by country, and this requires complete and uncompromising key management.
Let us consider GDPR compliance as an example. If you do not completely control the data encryption key strictly within your enterprise, you cannot reasonably assume that any breached data has not been unencrypted. To make matters worse, if you let your cloud provider have access to your data encryption key or, worse yet, provide their own data encryption key, then they become a “data processor” under GDPR and then must be included within your compliance audit. But you are financially responsible! The incentive for using encryption is driven by the compliance penalties of GDPR. GDPR is the tip of a compliance iceberg, and we expect many new similar requirements to emerge globally over the next few years.
Perhaps part of the same wave, the enterprise is also moving rapidly to consolidate one approach to secure all of these clouds sufficient to reduce risk and provide comprehensive data protection. Most large enterprises have many clouds and there are just too many proprietary cloud security bolt-ons by SaaS vendor. It’s a mess.
Once again, there are effective solutions available today. Per Gartner, Forrester, and other leading analysts, the best practice is to consolidate and secure these with a cloud access broker (cloud access security broker – CASB) or Cloud Security Gateway. These solutions provide full visibility, data security, threat protection, and all of the controls to address the needs for compliance. CASB has strongly emerged and become quite visible at this year’s RSA security show, as well as at both BlackHat and Defcon.
With CASB, the cloud data is secured at the edge as the view is taken that every cloud will be compromised at some time so plan accordingly. Every bit of sensitive data flowing into and out of any cloud application should be protected (encrypted or perhaps tokenized) before it gets into the associated cloud. It should only accessible through the CASB platform using secure data encryption keys which should be only available to the customer, with absolutely no access from the cloud provider. It has been proven that encrypted data which is stolen or accessed by an attacker is completely protected, and therefore is not considered breached as it is gibberish and completely unusable without the data encryption key.