I’ve been pretty forthcoming in sharing my belief that the security industry in general continues to struggle to transition from old ways to new, and that in today’s day and age we have to adapt quickly. The rise of mobile computing and communications (users, data, services) combined with increasing volumes of cloud services data traffic (from, to, and via) intersecting with the hacking community’s ever-increasing capabilities, all have made me more than a bit on edge.
I recently participated in an on-line webinar, teaming up with a cloud services provider and a cloud security solutions vendor. It would be indiscreet for me to name the companies in this blog or signal any kind of Cisco “endorsement,” but speaking personally, they are on the right track in a number of ways.
Like many companies, Cisco gradually came to the realization that its computer users were actively accessing two kinds of cloud-based services—ones that Cisco had specifically contracted for, and many others that our users had started using for reasons of their own. This latter “Bring Your Own Cloud” category triggered reactions ranging from curiosity to alarm within our company. What does a given, user-chosen cloud service do? How well is sensitive data protected when it goes into or comes out of a cloud provided by an unknown vendor? How many of these cloud services can be considered trustworthy? What diligence was done before using them?
Many of you who have read my writings know that I’m a big fan of data in decision-making. So—big surprise—our first step to attaining peace of mind began with the collection and analysis of objective data. We started by learning more about which cloud services our users access, for what purposes, and what data they exposed to them. We identified over 1,000 cloud services in use, and for a whole variety of reasons.
Studying the data, a short list of most-used services quickly emerged, and all of them were well known “brand names” in the cloud services marketplace. Brand recognition, however, is no guarantee of safety, and IT and InfoSec dug deeper into data about interactions with all cloud services accessed from Cisco to look for anomalous behaviors, indicators of compromise, and lax data handling processes.
In our second step, we studied cloud services usage patterns and started applying some basic user identification, usage tracking, and audit trail breadcrumb controls. We wanted to get into a position to more quickly identify root causes of any problems that might crop up and also insist on at-rest and in-transit encryption for Cisco data exposed to clouds and cloud services.
Now, in step three, we are taking an active approach to evaluating and qualifying cloud services vendor trustworthiness. This process has benefits in risk reduction, cost management, and productivity/user experience. Based on our findings, we can nudge users to use highly-trusted cloud service providers and discourage traffic to others. We can offer our users a superior experience with preferred cloud vendors by facilitating access to them via Single Sign On, a customized welcome, and integration into our IT portfolio. Also, by better understanding which service providers are widely and not so widely used at Cisco, we are in a stronger position to consolidate licensing arrangements and apply more consistent vendor management processes. Last but not least, and what really started our journey, was to ensure we have controls in place to mitigate our risks.
The cloud services enablement journey continues, of course, and probably will never end. With a strong data set in hand, and enhanced ability to make rational policy and investment choices, we are better prepared to harvest the benefits of employee-driven cloud services access while avoiding potential security pitfalls.