Companies are continuing their ongoing migration to the cloud. If anything, the pace of this migration is accelerating. This is seen in two main areas. Firstly, companies are moving their custom applications off their own infrastructure and onto hosted platforms such as Amazon AWS and Microsoft Azure. Secondly, many business units are taking advantage of existing Software as a Service (SaaS) applications to solve problems quickly, rather than rely on IT to build them a custom solution. These changes improve customer agility, but add new challenges for IT security and, in particular, the security of data.
The challenges in securing cloud applications is very different. There is no longer a perimeter to defend in-depth as applications are scattered and geographically diverse. There is not even a known set of applications to secure, as in many cases business units are making use of SaaS applications without IT being aware of it. Finally, the security model of the infrastructure providers depends on a model of shared responsibility, where the provider and the customer have different but interrelated responsibilities.
With this new paradigm, IT no longer has direct access to the physical environment as it once did. This is particularly true of SaaS applications where the vendor only provides minimal access to functionality in a shared environment, typically by a combination of user interface and API access. However, important corporate data, much of it regulated or restricted, now resides in these environments within applications that can be very opaque to the end user, and where the rules around data storage and protection may be poorly defined.
With these changes, we are moving from an environment where security meant locking down the perimeter, to a model where data security is paramount. This new model needs to be looked at from two different perspectives: that of the technology that is needed, and that of the people-related aspects, the policies and governance that surround the management of cloud-based applications and data.
The technology itself—the tools that provide ways to control, monitor, and protect information assets based upon the rules decided under governance/policy—is in fact the easier of the two to come to grips with. There are new categories of tools that allow an organization to come to grips with Cloud Security management, such as cloud-based identity and access management (IAM), and cloud access security broker (CASB). The tools can provide capability in several areas, including identity management in the cloud (IAM), authorization and authentication for cloud services (IAM), data loss prevention (CASB), malware prevention (CASB), anomaly detection (CASB), and cloud application usage risk mitigation (CASB).
However, the more complex part of Cloud Security is coming to grips with the policies and processes needed to manage these new tools. Many capabilities will need to be developed, along with ongoing operational management of the new tools and governance processes. These will include ongoing management of the processes, validation against regulatory standards, and day-to-day operational management. These are the items that need to be taken care of so that risks are mitigated, compliance and regulatory issues are enforced, threats are managed in real time, alerts are monitored, and reporting is timely.
And, of course, there are the usual issues related to building out new capabilities: the staffing scenarios and financial implications that coincide with the management of Cloud Security. For smaller organizations, attracting someone (or multiple people) to the organization can be a challenge, along with the difficulty of retaining employees once they have been trained in skills that are highly in demand.
For larger organizations, the financial aspects of calculating staffing costs versus returns need to be considered. Even when finding and retaining the right individuals with the right skill sets is accomplished, the financial aspects that apply can soon come into question. It might be difficult to justify the costs of building the new team if there are more effective options available via outsourcing.
Delegating these Cloud Security challenges to a managed services company can start to make a lot of sense. Experts who have the knowledge and pedigree to tackle modern Cloud Security challenges head-on by leveraging the collective experience gained through simultaneously monitoring a multitude of companies, bring with them a plethora of benefits with little to no downside.
Aside from the monetary aspects of predictable operation costs (moving CapEx to OpEx), professional managed service providers can also immediately implement everything from best practices to delivering automatic notification and implementation of regulatory change—because it’s their job.
So, in the end, why is outsourcing your Cloud Security in the best interest of everyone involved? The answer is clear.
Kyle Watson