Organisations continue to move more and more of their services and infrastructure to the cloud with Gartner predicting worldwide public cloud service revenue to top $200 billion this year, an increase of 17%. But this continued movement to the cloud has also led to a shift in the security posture of companies since it typically means that most of their data is living in multiple different clouds, versus residing on premise. Because this data is effectively beyond the ‘castle walls’ of their network perimeter, organisations are in something of a state of transition when it comes to the cloud and their approach to security.
Security considerations are arguably acting as a brake on overall cloud growth. A recent study of 300 large enterprise IT and security professionals found that forty-three percent of respondents said security concerns are the biggest obstacle to cloud adoption, and 37% claimed it’s the biggest barrier to SaaS adoption. Yet, if implemented correctly, moving infrastructure and services to the cloud boosts security and can give companies more control over their infrastructure and users, provided some of the following are considered carefully:
How ‘in control’ is my organisation?
Moving infrastructure and services to a third party can mean a loss of control if the right questions are not asked. For instance, systems might be upgraded without notice or at times which don’t work for your organisation or customers. As a provider of cloud-based security gateways, we often hear that some firms are placed on shared infrastructure and a large upgrade for one organisation can have a detrimental effect on the other despite being a separate company. Similarly, organisations can be forced into sharing IP addresses and sharing SSL decryption keys – these have a big impact on being able to use the cloud securely and seamlessly. It’s very important therefore that firms ask searching questions of their cloud provider to ensure this doesn’t happen.
Are security policies consistent regardless of where the user is based?
It used to be the case that most workers would be office based for most of the time and security was easier to control. Now this perimeter has disappeared, it is vital that office and remote workers are subject to the same security policies regardless of where they are based. ‘Cloud connectors’ provide the ability to apply user-based policies and generate user-based reports regardless of whether the user is in or out of the organisation’s network perimeter, wherever they may be geographically and regardless of what device they are using.
Will applications perform in the same way when hosted in the cloud versus locally?
When traffic is headed toward cloud applications such as Office 365, unnecessarily sending that traffic through private connections to centrally hosted security appliances is not only costly but can reduce user productivity substantially as Internet connections from branch offices are choked. Therefore, traffic must be able to flow through the most optimized path directly to the Internet in order to reduce the load on valuable network resources, including firewalls and routers.
Is bandwidth going to get out of control?
As mentioned, unnecessarily sending traffic through private connections to centrally hosted security appliances are bandwidth intensive and can introduce latency as well as costs. If security appliances are on premises it can also mean a continued infrastructure cost since they need to get continuously upgraded just to keep up. Delivering Internet security in the cloud so that it routes traffic directly to the Internet from branch locations is the only way to keep on top of network demands and provide the best user experience possible.
How do I present unapproved apps being used in my organisation?
Shadow IT is a continuous issue for IT departments as the lines between work and private activity continue to be blurred and cloud application use becomes un-audited and un-controlled due to lack of visibility and controls. Shadow IT usage can present multiple risk vectors for the organisation that includes data loss, productive loss, bandwidth utilization Issues and a higher risk of compromise to malware infections and exploits. Gaining visibility into cloud application usage, understanding where data is being stored in the cloud and having the ability to ‘unsanctioned’ shadow IT applications is essential for any organisation with a cloud first strategy.
Addressing the above means that organisations can implement their cloud security move in a staged and controlled manner and ensures they can move to the cloud without sacrificing the benefits derived when deploying on premise. Just as importantly it brings security to wherever their users are. Being geographically closer means faster connections and eliminates latency issues. It has the effect of making employees appreciate the experience their corporate IT gives them rather than resenting it. Security effectively becomes an enabler to their work, not a barrier.
Craig Talbot is the Vice President of EMEIA at iboss where his focus is on scaling the EMEIA business via the channel, including value-added resellers (VAR) and managed service providers (MSSP), and driving growth through existing strategic partnerships. Talbot is experienced in creating hyper-growth in software companies, having previously worked at cloud-based software businesses Sitecore and Mulesoft. Prior, to this he was at VMware for nine years, where his tenure culminated in building out and leading VMware’s EMEA NSX network and security business after the company’s 2012 acquisition of Nicira.