The Top Five Cybersecurity Strategies for Cloud
This article was written by Michael Trachtenberg, CTO of MDS and originally appeared in Forbes.
We all know how to secure our on-premise IT environments, but that all went out the window and floated up into the sky with the movement to the cloud.
These are the top five cybersecurity strategies for securing corporate cloud IT assets.
5. Conditional-Based Access For Secure Devices
When leveraging cloud resources, devices should be granted access based on conditions, and if those conditions are not met, alternate paths should be made available — such as remediation, limited access or additional security screening. This also needs to happen in a fashion that gives transparency to connecting users.
Scenario: An employee connects to a SaaS-based cloud CRM system from their personal iPad while at a conference. At the time of authentication from a browser or the app, the device or specific app prompts the user to be managed or have a portion managed to gain access. Managed may mean the application of policy. The process should be seamless and self-service-based only once access is granted.
4. Edge-Less Environments
With cloud, the corporate boundary rarely exists, and cloud services are accessible everywhere. They are available to all connected devices. Leveraging an edge-less environment or building for the intelligent edge prepares organizations for cloud services. Devices that sit on the edge (laptops, phones, tablets, IoT, terminals, etc.) may dynamically flow in and out of the environment, making it critical to build a networking infrastructure that supports this mobility.
Scenario: An employee rents a badge scanner to upload contact information to a SaaS-based cloud CRM system. Data collected in the field is processed and transferred to central systems in real time by edge devices. The process and methods of connecting and transferring data should be the same either from “corporate” wireless or public-access Wi-Fi through HTTPS communications and app services.
3. Containerization, Data Classification And Encryption
The only thing that can move as fast as light is data (well, almost). Corporate data is the secret golden nugget that all IT security measures have always sought to protect.
If all corporate data is containerized and encrypted, and the data itself has conditional access baked in with metadata, then most IT measures are irrelevant at that point. The issue is that data is hard to containerize and encrypt. It is simpler to perform this with modern, mobile cloud-based apps. But for thick 32-bit legacy applications, this proves difficult and requires additional applications to virtualize and cloudify.
Scenario: An employee connects to a SaaS-based cloud CRM system from their personal iPad while at a conference. The employee downloads a corporate spreadsheet and then emails it to a personal email account. If the data itself is classified and has content-level encryption, it doesn’t matter where the data ends up; when the file is opened outside the network, it will reach out to the cloud for DLP. If the cloud file storage is containerized, the data can’t move to other systems at all.
2. Identity-Driven Management
Having a unified identity platform allows most other systems to perform in the cloud-first world across a source anchor — a user’s identity. That requires moving away from a device\permissions method of securing access.
A singular login allows cloud systems to build profiles for individuals that can then be used to combine with conditional access and edge-less environments. This enables truly dynamic access to cloud resources based on many factors. This also allows intelligence to be introduced to enable ML -and AI-based behavioral access systems.
Scenario: An employee connects to a SaaS-based cloud CRM system from their personal iPad while at a conference. The identity of that person should be verified with multiple factors. The device should be conditionally allowed to connect based on its state. The connecting-from location should limit what can be viewed or accessed, and anything that is accessed should be containerized and encrypted. The entire event should also be monitored and compared against typical behavior for the user and should dynamically change if anything seems out of line with baseline activities.
1. Cloud Access Security Brokers
Once an organization is leveraging a multi-cloud strategy, connecting multiple clouds together becomes the next priority. What is the purpose of having a singular identity and a single IAM system for one cloud and not another? What is the purpose of having data classification and encryption if you can only enforce it in one of your five cloud services?
Tying clouds together has historically been done for ease of authentication and providing common identity with single-sign-on capabilities. Now with solutions via a cloud access security broker (CASB), API-based connections between clouds allow for the enforcement of policy from one cloud service to another, including DLP strategies and conditional access.
Scenario: An employee connecting to a SaaS-based cloud CRM has the same experience when connecting to any corporate resource such as mail, CRM, HR, collaboration tools and everything else. The person has one set of login credentials, and access is conditional-based. Connectivity is edge-less and everywhere. What they can access is containerized and encrypted; their identity dictates permissions and risk. Activities across clouds are visible and controllable by IT and management, which govern by the same policies universally.
Combining all these strategies makes the cloud not look so scary. But it does make on-premise security seem somewhat simplistic and not as secure as we once thought.
Take Back Your Day
Learn how the latest technologies can free up your time so you can focus on your business