Posted by Ed Macnair / 19 December 2016
When Cloud was the new kid on the block, the risk of adoption was simply too variable and therefore untenable but that didn’t really matter. It was gathering such momentum the security market simply couldn’t keep up. So in line with tradition, the easiest option was to get the big red stamp out and mark it ‘unsafe’ and hope it would go away.
The problem was that it didn’t, it just got bigger.
The result was worryingly predictable. Security designed for a pre-cloud market ceased to be relevant and of course, that didn’t feel very fair, particularly after all that hard work over the last decade or so. You could stamp your feet all you like and protrude your bottom lip so that it is visible only from space but one thing was for certain, hiding behind the excuse that Cloud is too much of an ‘unknown’ was flimsy then and frankly inexcusable today.
I personally think we can learn much from the dynamism of cloud app providers but it’s fair to say that their attitude toward security varies immensely. They range from the well intended to the ‘sales-hungry consumerized provider’ who on the surface at least, appears entirely uninterested. Meanwhile the best response the staid security market can muster is the poorly thought-out excuse that cloud apps are too generic by definition to meaningfully protect. In simpler terms, you don’t have a product that addresses the current needs of the market. There, I said it for you.
As the Cloud model mutates to don even bigger, hairier legs, progressive companies are naturally beginning to adopt enterprise apps that suit the needs of their business. They have neither the time nor the inclination to wait for the security market to play catch up and as a result have maintained a reliance on products designed to protect a market from a different time with very different challenges. That may sound like pretty bad news but it gets much, much worse.
Users (and when we say users, we don’t mean the hapless lemmings portrayed in scare-mongering marketing; we mean, even the well informed, good intentioned employees) continue to elect to use Apps that they personally favor, all in the valiant name of productivity.
It’s a practice that has evolved from the BYOD culture and it looks like it’s here to stay for the foreseeable future. App technology has inadvertently progressed well beyond the realms of protection without even breaking a sweat. In other words, unless the security market stepped up with a real world solution, those companies were about to find themselves up a very well known messy creak without a paddle.
We’re through dancing around our handbags
Apps aren’t a new piece of technology and we’re well past the stage where we can say we’re still figuring out the best way to secure them. We’re not sucking and seeing; nor are we dancing around our handbags, kicking tires or easing into what we should be doing; there are real ways to tackle known security issues head on.
It is incumbent on every organization to evaluate the use of services and ensure they have effective controls to help their employees do the right thing; embrace cloud services but avoid exposing the company.
This doesn’t begin and end with popular unregulated apps, this extends to services that have been transformed into business facing apps to keep the wheels turning, such as CRM systems, enterprise social media, file sharing or even virtual Infrastructure given the increasing IaaS and PaaS trend.
Ignore them at your peril because these platforms although marketed as business ready tools are assumed to have robust security from the get go. Combine that with the developing trend of Shadow IT and the evolution of the savvy user outgrowing the IT department, cloud services can in principle be implemented without intervention with just one swipe of a credit card. That’s bad but it’s also addressable.
For whatever mystery surrounded cloud in its infancy, the conversation that treats it as a beast that is yet to be tamed is as naïve as it is redundant. Times have undoubtedly changed, even if most security vendors have failed to. Cloud security has moved on, even if our competitors haven’t Today, Security has a new directive, to liberate and enable users to do their jobs safe in the knowledge that they’re protected but not prohibited.
The answer lies in the ability to sensibly control cloud applications, apply risk mitigation through policy and help employees avoid circumventing necessary business controls to get the job done.
If we’re to learn anything from the dynamic popularity of the app world, it is that innovation and forward motion inspires, captures imagination and makes all things possible. That requires a departure from conventional thinking for the Security market and it’s also a long overdue kick up the butt for those that seek to prohibit progress.
The role of Security is changing but that doesn’t mean we depart from all that has proven to be successful. Web security and content filtering (when it is executed well) still has a rightful seat at the table and it is important that we take our learning’s from the last decade and extend them to evolve beyond the web gateway into the evolving realm of Cloud Application Control.
As an industry we’re in the privileged position of redefining our place digital history; our role isn’t to block or deny but to enable and protect. Hiding behind the clichéd stance that cloud security contains too many unknown risks smacks as a weak transparent excuse for products that haven’t evolved to address and protect the exponential rise of the app.
By denying users the option to use the Apps that encourage them to be productive, we fail to recognize the huge leaps we have made as an industry in keeping the Internet a safe place to be. The Cloud isn’t the enemy; it never has been, it’s the ultimate enabler, as are we.