The use of SaaS applications continues to grow, with Forrester predicting over $78B in revenue being generated in 2015, a compound growth of 9.14%*. It makes their use in your business kind of inevitable.
With the recent Safe Harbour ruling (if you’ve missed it, the ECJ has invalidated the 16 year old agreement that enables US businesses to transfer EU citizens personal data to the US) and the fact that these app's are consumable by nature it gives IT two big problems:
- Visibility - how do you identify what applications are being used, what data is in the Cloud and what potential policy violations you may be exposed to?
- Control - how can you apply security controls for sanctioned and unsanctioned Cloud app's?
Adding to that the view from Netskopes recent survey**, that 92% of Cloud app's aren’t enterprise ready, and 17.9% of files stored in enterprise-sanctioned cloud app's constitute a data policy violation, means that gaining visibility into the Cloud applications being used and being able to secure your data before it gets to the Cloud will be a vital part of your security infrastructure moving forward.
When we speak to customers about using Cloud app's there are two schools of thought: Cloud first, or Cloud never.
Regardless of your position there are three main challenges: firstly, how do you gain visibility over the applications and data being used in the Cloud? Traditional security infrastructure just doesn't provide the level of visibility and even the "Next Generation Firewall" doesn't hold any context on the providers themselves.
Secondly, if you don't have this level of visibility and your security infrastructure is limited to port and protocol, or whitelist / blacklist, you can't apply the level of policy control that you need - even if you can see the application you don't build policy based on the data itself.
The third issue is visibility into the Cloud providers themselves - without an understanding of their infrastructure and data management approaches how can you decide whether they're "enterprise ready" or not? How can you assess the risk?
Enter The CASB (Cloud Application Security Broker)
CSBs are software tools / services that sit between an organisations on-prem infrastructure and the Cloud provider, acting as a gatekeeper that allows you to extend the reach of your security policies. It’s one of the hot topics, with Gartner predicting that by 2017 it will be a vital part of any SaaS deployment.
A key feature for CASB platforms is their ability to provide visibility into what Cloud app’s are being used regardless of whether they’re sanctioned or unsanctioned, and then being able to apply policy against those applications.
This fixes two problems, firstly it’s impossible to prevent what you can’t see, so gaining sight of the app's being used is the first step. Once you've got visibility, the policy engines within the CASB platforms enable you to apply security policies based on the data you're storing and the potential risk of the application being used. These policies could range from disabling access completely to enabling them and encrypt the data as just some basic examples.
The key, and a big differentiator between CASB and traditional security platforms, is that you can do this based on the risk to your data. It's not just a whitelist or blacklist situation - instead they often consider factors like the quality of datacenter, the providers data management approach and the level of resilience in their systems as part of scoring that risk.
An often overlooked additional benefit has nothing to do with security, instead it's about vendor management. Once you know the applications being used, you can identify overspend/underspend on software licensing and actually do something about it - it may be you adopt the app's users want or prevent them and drive them to corporate approved app's.
Should The Safe Harbour Ruling Change Things?
In my mind, although the Safe Harbour ruling will cause concern, it isn't a surprise that the decisions been made. I think most people have been expecting it for some time, with many businesses taking the view some time ago that their data isn't to leave the EU or the UK.
The changes in regulation and the lack of clarity around the risks of storing data in the Cloud will only enhance the value and importance of CASB systems - ultimately if you have a platform that gives you full visibility into what's going on with your data, and a mechanism to apply policy controls then it puts you back in control so that you can get the most from Cloud app's. Having businesses be more conscious of what they're doing with their data is no bad thing.
So whether you're looking at adopting Cloud applications but you want to do it securely, or if you want to gain visibility into the unsanctioned applications being used then CASB is a market sector that you need to start considering.
If you’d like to find out more about Nephos, CASB or if you'd like us to tell you what Cloud applications are in use in your network then get in touch today by Email
*source: Forrester’s Global Public Cloud Computing market size analysis and forecast for the years 2011 to 2020
** Netskope Report: http://bit.ly/1Ps4XK5