IT is the backbone of any modern enterprise, whose main functions involve communication, and the official services sanctioned and approved to do business – whatever that business may be. IT defines the network perimeter, communication flows, availability, accessibility, and performance. IT functions are a Venn diagram overlapping many of the functions in Security, who want to keep the company from getting hacked. Security’s main foci have been defining identity and access mechanisms into the network, endpoint security controls, security training, and monitoring the network for incidents as well as the follow-up investigations of events as they occur.
Business units, on the other hand, tend not to concentrate on any of these core hardware/software competencies. Sales and Marketing are all about creating need and driving adoption of the business product, working out partnerships and new routes to market, creating and sharing content, and keeping the revenue stream intact which keeps the lights on for the organization. Development and Engineering are also devoted to creating the output for that organization, be it manufacturing, advising, or the services provided to end-users. Their functional requirements are set for what the market needs.
Ultimately IT, security, and the business units are working to ensure the success of the company through efficiency, ability to be responsive to business needs, and the protection of vital corporate assets. Cloud is enabling business to move faster than ever before, so fast that sometimes it’s outpacing IT’s ability to maintain security and compliance.
Cloud is enabling business to move faster than ever before, so fast that sometimes it’s outpacing IT’s ability to maintain security and compliance.
Basic visibility can be an issue; the Inaugural Symantec Cloud Security Threat Report (CSTR) identified gaps between perception and reality that create risk for the organization. The report which polled 1250 professionals from around the world asked them how many cloud applications and services they believe are in use by their organization. The average response was 452 applications. Symantec data obtained through Shadow IT audits indicates the real number is over 1800. While 93% of survey respondents acknowledge that visibility is an issue, that’s a major visibility gap.
Further demonstrating the depths of the issue, three quarters (75%) of CSTR respondents experienced security incidents due to immature cloud security practices, and almost all CSTR respondents (93%) believe oversharing of files containing compliance data is a problem. To solve this problem, IT, Security, and business units need to come together.
Cloud adoption of business services, storage, collaboration, and sharing can be a more secure option for an organization if they have capital expenditure or skill limitations, especially for lowering the operational overhead. It’s fast and easy for any department to license and start using new cloud apps and services, which is why the IT or security perception of how many cloud services are in use differs drastically from the reality of how many apps used. This misconception of cloud usage defines the difference between how the three organizations have traditionally missed on communication and operations and underscores the need for a new interactive model where they all share responsibility for security.
Further demonstrating the depths of the issue, three quarters (75%) of CSTR respondents experienced security incidents due to immature cloud security practices, and almost all CSTR respondents (93%) believe oversharing of files containing compliance data is a problem.
The old noble fight of IT/Security administration was an ongoing campaign to lock network controls and company assets down against intruders, comply with policy and governance, and meet the board initiatives for a secure environment to do business within a tight budget. This put them at odds with the other business units, whose goal is to get their jobs done quickly and effectively with a minimum of hoops and extra effort. To address this sporting conflict in goals, organizations are increasingly investigating and adopting a Cloud Center of Excellence (CCoE) approach to the use of cloud apps. With this model, security moves from being the responsibility of one centralized team into a more federated idea where every functional area has skin in the game.
With business units controlling their own budgets, there’s little, to no oversight for IT into the technology stacks used by every team. Tools and solutions like Data Loss Prevention/Protection (DLP), Endpoint Protection, Encryption, and Cloud Access Security Broker (CASB) solutions are being adopted at fantastic rates; but tools in the hands of one department are not enough to keep an enterprise safe - nor is security something that the Security expert in the enterprise can dictate. A CCoE demands functional participation from management teams who previously have not taken part in the security defenses of the enterprise. It takes the owner of data to classify data and determine what is normal for their business unit.
For example, marketing and sales tend to move large files (like PowerPoint, videos, or images) for sharing and collaboration, while engineering manipulates source code and data sets between repositories. While CASB controls can help identify the activity, check the files for sensitive data, and perform decisions to secure the data, the fundamental determination of which cloud services, what data, and what responses that build basic policies have to come from a central cloud steering committee. While the CASB can find your Shadow IT and show where your Shadow Data is moving and being stored, it takes input from a steering committee to find the right responses to different actions as they happen between the user and the cloud.
A CCoE demands functional participation from management teams who previously have not taken part in the security defenses of the enterprise. It takes the owner of data to classify data and determine what is normal for their business unit.
Functional managers can also use CASB results to compare services, standardize procedures, identify underutilized or unused licenses, and control their budgets with greater accuracy, avoiding “shelfware” in terms of services purchased but never adopted. They can help determine which applications are sanctioned (allowed/approved by IT) within their group versus which are unsanctioned but necessary for business flow – or even which should be blocked entirely for the security risk. The IT/Security team cannot make all of these decisions in a vacuum, or the Shadow IT problem will simply proliferate as employees find more ways around restrictions to get their jobs done in a timely fashion.
Forming a CCoE to help determine these decisions may be the best way to keep your business flowing at a speed that pleases your employees and shareholders without sacrificing security controls. When everyone has an oar in the security waters, you can steer your cloud usage in a safer, more controlled direction and get everyone playing on the same team.