Companies need to adopt a new model of 'cloud-first' integrated security that enables the centralised control of the myriad of cloud services and apps employees use, says Rolf Haas.

Enterprise Technology Specialist, Intel Security

Cloud use continues to grow rapidly in the enterprise and has unquestionably become a part of mainstream IT - so much so that many organisations now claim to have a 'cloud-first' strategy. That's backed up by a recent Intel Security survey of 1,200 respondents which showed that 80 per cent of respondents' IT spend will go to cloud services within just 16 months. Even if that outlook overestimates cloud spend, it still shows a dramatic shift in mindset, and it's often the business, rather than the IT department, that is driving the shift. In today's digital world, the pull of the cloud and its benefits of flexibility, speed, innovation, cost, and scalability are now too great to be dismissed by the usual fears. To compete today, businesses in Oman need to rapidly adopt and deploy new services, to both scale up or down in response to demand and meet the ever-evolving needs and expectations of employees and customers.

Cloud concerns

This new-found optimism for the cloud inevitably means more critical and sensitive data is put into cloud services, which leads to massive security issues. Unfortunately, the same survey revealed that organisations are  not properly ensuring cloud security today. Some 40 per cent are failing to protect files located on Software-as-a-Service (SaaS) with encryption or data loss prevention tools, 43 per cent do not use encryption or anti-malware in their private cloud servers, and 38 per cent use Infrastructure-as-a-Service (IaaS) without encryption or anti-malware.

Many organisations have already been at the sharp end of cloud security incidents. Nearly a quarter of respondents (23 per cent) report cloud provider data losses or breaches, and one in five reports unauthorised access to their data or services in the cloud. The most commonly cited cloud security incidents were actually around migrating services or data, high costs, and lack of visibility into the provider's operations.

Trust in cloud providers and services is growing, but 72 per cent of decision makers in the survey still point to cloud compliance as their greatest concern. That's not surprising given the current lack of visibility around cloud usage and where cloud data is being stored. The wider trend to move away from the traditional PC-centric environment to unmanaged mobile devices is another factor here. Take a common example: an employee wants to copy data to their smartphone from a CRM tool via the Salesforce app. The problem is that they have the credentials to go to that cloud service and access that data, but in this case, they are using an untrusted and unmanaged device. Now multiply that situation across all of an organisation's cloud services and user devices.

There is clearly a need for better cloud-control tools across the stack. Large organisations may have hundreds or even thousands of cloud services being used by employees and It's impossible to implement separate controls and polices for each of them.

Hybrid cloud security

To securely reap the benefits of cloud while meeting compliance and governance requirements, enterprises will need to take advantage of technologies and tools such as two-factor authentication, data leakage prevention, and encryption, on top of their cloud services and applications.

Increasingly, organisations are also investing in security-as-a-service (SECaaS) and other tools that can help orchestrate security across multiple providers and environments. These help tackle the visibility issue and ensure compliance needs are met. That's why I believe we are starting to see the rise of so-called 'broker' security services. These cloud access security brokers (CASBs) will enable consolidated enterprise security policy enforcement between the cloud service user and the cloud service provider. In fact, Gartner predicts that by 2020, 85 per cent of large enterprises will use a CASB for their cloud services, up from fewer than five per cent today.

The key to this is for companies to be able to seamlessly push and enforce their own security policies from an on-premise proxy infrastructure to a public infrastructure. For the enterprise, this provides the ability, if required, to encrypt corporate data that sits in a public cloud service and offer complete protection for every endpoint. It means the same security policy is applied to the end users regardless of how or where they have connected, whether that's through a public or private cloud, from a smartphone in a coffee shop or a Wi-Fi hotspot at the airport.

Cloud adoption is rapidly approaching a tipping point and now more than ever, there is need for organisations in Oman to adopt a new model of 'cloud-first' integrated security that enables the centralised control or orchestration of the myriad of cloud services and apps employees use across the enterprise. Cloud security is now a critical element of any business, and it needs to be taken seriously from the boardroom right down to the end users.

© businesstoday 2016