The Public Cloud’s Pesky Problem

So much has been written about securing digital assets in the public cloud that one would think this is a problem that the industry has managed to solve by now. The truth however, is far from it. In speaking with CIOs and Heads of IT over the last several months, it is clear to me that Security and Privacy remain top-of-mind concerns for businesses, and the problems are quite nuanced.

Shared Responsibility

First off, it is important to understand that even when businesses trust their data to the cloud, they’re still responsible for watching their own backs.   Public cloud vendors call this the Shared Responsibility Model which means while the public cloud vendor has the responsibility of managing security “of the cloud”, the customer is still responsible for securing their assets “in the cloud”.   So, as a customer, you can expect a cloud platform that is sufficiently tested against vulnerabilities and intrusions, but the responsibility of ensuring compliance with external regulations, your own organization’s policies, and ensuring that your employees use the cloud in a secure way – still lies with you.  So, while you can outsource infrastructure and even applications to the cloud, you simply cannot outsource the responsibility for security and privacy.

Breadth of Usage

There are literally hundreds of ways data leaves an enterprise network and goes into the cloud.  Studies show that an average enterprise could be using over 1000 cloud services (roughly 10x what IT thinks they’re using) and the average employee, over 25 cloud applications.  Some of these could be SaaS applications, some could be file sharing and collaboration tools, or they could be essential IT solutions like cloud backup, archiving, etc.  It is simply not easy for enterprises to examine all these data streams and police usage – and CIOs are struggling to find solutions that cover this broad spectrum of use cases.  Most current security solutions and CASBs are simply unequal to the task.

Outsider vs Insider

It is commonly perceived that enterprises are mainly worried about securing their data from bad actors external to the organization.  Encryption and BYOK have been widely touted as solutions for this problem, but one of the more revealing things I’ve discovered in my conversations with customers, is that they’re just as worried (sometimes more so) about internal actors.   Increased mobility coupled with broader usage of the cloud for data storage, means that the enterprise network isn’t even in the data path when business is conducted.  The lack of visibility around how employees are accessing and utilizing company data is a huge concern – especially when they do so using unmanaged devices.

Added value in the Cloud

Keeping data safe in the cloud is one thing, but it is also clear to me that enterprises are looking for more.   For instance – protecting sensitive files and ensuring that they are shared securely with an audit trail; managing mailbox sizes in the cloud and providing extended retention capabilities for mail; managing data access in the cloud with granular file and folder permissions akin to the traditional NAS model; and securing sensitive data in cloud document management applications like SharePoint.  And these are just a few I’ve heard about.

In summary, protecting data in the cloud is complex, but it can be made simpler if you know what to look for in the solutions you’re evaluating.  First, know that while your data is now sitting on someone else’s computers, you still remain responsible for its safety.  Make sure you’re cloud security solutions that cover the broad spectrum of cloud storage use cases and not simply tools that give you pretty reports about your cloud usage.  Ask if the protection can be broad enough to also ensure compliance within your employee base (insiders).   Lastly look for real added value beyond basic encryption and DLP features.