From July 29 to August 1st, technology research firm Gartner hosted their annual Catalyst conference, an event focused on topics ranging from identity and access management, to mobile devices and cloud computing, all aimed at the IT professional. While at the conference, I had a chance to attend several excellent sessions with in-depth technical focus. Diving deep into a concept always peaks my interest, and one in particular hit home for me. Led by Gartner Analyst Ramon Krikken, the session titled “Five Practical Steps to Securing Data in the Public Cloud” dove into the role that security can play in-between business users and the web applications they access in the cloud. I wasn’t surprised to hear this concept – in fact it’s something we’ve been working on for some time.
Ramon kicked off the session with some of the top technical risks introduced by the cloud model of IT – data leakage, loss of encryption keys, malicious interception of data, and even insecure data deletion. In any adoption of a cloud service, it is imperative to understand your risk level based on the type of data you’ll be sending out to the cloud. Here at McAfee, we believe Cloud Service Providers (CSPs) absolutely play a role in mitigating risk, but not one that matches what you could accomplish on-premises. The ideal scenario is mirroring the control you’ve established on-premises to your chosen cloud environment. The concept of mirroring on-premises control to a cloud environment sounds impossible, but it is becoming more of a reality than ever. And part of what we’re doing at McAfee brings us closer to that reality.
The path forward to establishing, or in some cases gaining back, control over IT services in the cloud involves technology that has been proven by secure web gateways, coupled with several new developments in identity management and encryption. The key is to establish a security layer in between your business and the cloud. This layer should perform multiple functions that enable secure access to business applications, while reducing or eliminating the loss or compromise of sensitive data. For the sake of brevity, I’ll list the core functions of this security layer here:
- User authentication and provisioning. Now that the applications are outside your network, it is necessary to sync your directory of authorized users with the cloud to ensure only the right people get access to the cloud applications they are authorized to use, from whatever device they choose. Add single sign on for productivity, and a second factor of authentication for extended security.
- Application control. Cloud applications open up plenty of doors to data loss and productivity drain. Control individual applications down to the feature level, such as uploading to cloud storage, or sending messages on social networks – closing gaps that might leak data.
- Data encryption. Any information you send out to the internet unencrypted is inherently insecure, and open to interception or unauthorized access. Essential to maintaining control over data used in cloud applications is the handling of encryption on-premises, with the keys remaining in your hands. This takes quite a bit of reliance off the CSP for protection. Access and decryption of this data must be only allowed for authorized users.
- Traffic monitoring. One of the most consistent trends we’ve seen lately is rogue adoption of cloud applications, leading to unmonitored data leaving business networks. We call this shadow IT – and it cannot be ignored. It is an indication of what IT should actually be deploying to users. A secure web gateway can see all of the traffic these applications, and IT can rein them back in with controlled deployments of the same apps. Malware that wants to exfiltrate your data is certainly not allowed, and also eliminated from your traffic by the secure web gateway.
This new model of cloud IT, and along with it a new model of security, is continuing to mature. Ramon brought to light many of the risks businesses experience when extending applications and data to the cloud. He was equally as passionate presenting the future of what security looks like in that model. We’re right there with him. If you’d like to hear more about the approach we’ve developed thus far, check out this on-demand webcast that runs through the solutions we have available today.