By Jason Clark (pictured) – Chief Strategy Officer | Netskope
We're entering what some are calling the Fourth Industrial Revolution, as digital transformation dissolves traditional security perimeters and drives everything into the cloud.
Data is being created at an explosive rate, the vast majority of it on mobile or directly in the cloud. Workforces are becoming increasingly remote, meaning they're moving far away from the traditional perimeters of the enterprise data center. Digital transformation, which is driving cloud and mobile adoption, is creating a tremendous shift in risk posture, exposing new security blindspots for every organisation as a result.
As CSO for a cloud security platform, I know from experience that those blind spots mean that security teams are less likely to see threats coming their way, or protect from their own insider threats. Even worse, the attack surface is growing at a rapid pace, where legacy security controls sitting on your perimeter can't protect or see. Combined with a whole new set of cloud-specific threats, this spells trouble for every security program.
However, security teams can prepare now for a rapidly approaching cloud-enabled future. Here's where you can start:
Security programs were built in a world where we assumed companies owned the device and network where their data lived.
Now, with an ever-growing number of enterprise users in the cloud, they may not be going through your data centre or even riding your network. Your data is now sitting where someone else controls it — whether on an iOS/Android remote device or a SaaS app like Salesforce or Office 365 — resulting in decreased network visibility.
The first step to getting control back is accepting that you've lost control and visibility into most remote/mobile devices and for most of the SaaS/Cloud apps. From there, a good way to consistently control access to your data is with a cloud-based secure web gateway (SWG).
The average worker today has more than two mobile devices, and they are likely using these devices off your enterprise network. Once a mobile device travels off your network, you are blind to threats.
If it's a company-owned or managed device, the first step in regaining visibility is to find a good endpoint security solution. The second step is to connect the remote device to your SWG for a two-tier approach to mitigate threats. The third step is to deploy cloud-based DLP policies, using your SWG to protect the data leaving the managed device.
If it's an unmanaged device, the first step is to leverage an SWG or CASB to reverse proxy and get visibility into the applications and data. For example, you could allow viewing sensitive data but deny downloading it to an unmanaged device. This gives you much better control of unmanaged devices.
While SSL/TLS 1.3 encryption has become standard for many organizations, most aren't able to actually gain visibility into it — running the risk of letting threats slide in under your nose.
While it will take surmounting a certain level of complexity, the best way to get visibility into that encryption is to insert your security inline. Establish secure connections between the two transport locations and your security platform — something commonly referred to as "man in the middle."
With that, you should be able to rectify this blind spot, but in turn you'll also have to deal with it on top of APIs.
There are more than 30,000 cloud apps that organisations today may be using, and all of them are using unique APIs to converse.
Before, it was easy to decode languages of web traffic, like TCP IP or HTTP, but API/JSON is the new language of the internet and the language of all cloud apps — meaning there are now thousands of dialects. Without being able to decode the JSON code at scale, you won't know the exact function you're performing in a given app or how much access you're giving an app to your data.
This visibility can be even more problematic if your infrastructure can't discern between personal and corporate instances of using an app. Without granular visibility, an employee of your organisation could access sensitive data in a corporate Box account from a personal, unmanaged device. And you wouldn't be able to tell the difference.
The only solution I can offer to fixing this visibility is a SWG solution that gives you the granular visibility to distinguish instances and translate these APIs, alongside other encryption.
Data In The Cloud
Much of your organisation's data is already living out in the cloud, but you may be unaware of how much sensitive data is actually leaking out via cloud apps you're already using.
Consider your HR department wants to run an audit on the demographics of your company. They could just load all of that sensitive personal information on to a cloud app with a few keystrokes. But how do you know that cloud app is safe?
And what's worse, your HR team may not even realize how much sensitive data they're giving to a possibly untrustworthy source.
In my experience, the most effective way I've found to deter inadvertent sharing to sketchy sources is simply adding a prompt to your system, making sure the user really wants to share data with a source that may not be able to adequately protect it. And if even if they blow past that safeguard, it can trigger the necessary alarm bells so you can put a stop to it before anything is compromised.
Data in the cloud flows like water, and it's your job to create the correct path for it.
While all of these blindspots pose serious concern to any and all security teams, it's worth noting that all of them can be easily addressed with the right approach. If you start asking the right questions about your current security posture and seek out the right technology to find the answers, you'll be better prepared in the face of digital transformation.