vali_111 - Fotolia


How to address redundant cloud security controls

Overlapping security controls for cloud apps and services can be detrimental to enterprises. Expert Rob Shapland explains why that is, and what organizations can do about it.

The huge number of options available to organizations in terms of cloud services creates many problems. Deciding which services can be trusted with corporate data, who can access them and ensuring the data is stored in a safe manner that doesn't expose the organization to data loss are just a few examples.

However, another growing problem is the issue of managing all the different cloud security controls and platforms designed to help secure these different services. For example, if enterprises are using Amazon Web Services and Microsoft Azure for infrastructure as a service, Box and Dropbox for cloud storage, or a number of other SaaS offerings, they may well have different cloud security controls specifically designed for each. This is a major headache for IT staff, as administering that many cloud security controls creates almost as many problems as it solves. There are, however, a few options for enterprises that can address this burden.

As organizations jump headfirst into using a myriad of different cloud services, it's paramount that security is considered from the outset in every decision.

The first option is to increase cloud visibility. As we are yet to have a unified cloud, we also lack the tools to accurately secure multiple cloud services from one centralized management console. The solution is to focus as best we can on tools that allow cloud services to be centrally monitored and audited, such as a cloud access security broker (CASB). Although a CASB may not provide the level of detail and customizable security that a product tailored for a specific cloud service can provide, it can at least provide visibility of where the problems may lie. Some CASBs offer specialized versions of their platforms for major SaaS offerings, such as Office 365, Salesforce and Dropbox, which offer additional functionality such as threat protection, data encryption and data loss prevention.

Understanding what cloud services are being used by employees and being able to detect the use of shadow cloud services is key to preventing accidental or intentional data leakage.

The second option is to think more carefully about what cloud services, especially SaaS, are implemented in the organization. If we think about security from the outset, not just in terms of the service itself but also how we are going to manage that security, it can lead to some different decisions on what products or services are selected. Enterprises may be better served choosing a cloud service that can be more easily integrated with existing security controls rather than choosing a service that would require an additional layer of cloud security controls around it.

The Cloud Security Alliance Open API is an ambitious project designed to alleviate many of the flaws of security interoperability in the cloud. This can allow third-party systems to interact with the core components of all cloud services that support the CSA Open API, allowing central management consoles that are able to control all the individual cloud services. The project is not yet ready to provide a solution to the issue, as it needs buy-in from all the major cloud providers, but the idea is there and may be able to provide a solution in the future.

As organizations jump headfirst into using a myriad of different cloud services, it's paramount that security is considered from the outset in every decision. Cloud services represent one of the biggest opportunities for streamlining IT, but they also represent one of the greatest security threats. If an organization does not truly understand what cloud services are being used and what data is stored there, it is time to start understanding, consolidating and centralizing the management of them before it becomes prohibitively expensive to do so -- or worse yet, a data breach occurs because cloud services are not adhering to organizational security policies.

Next Steps

Read more on the evolving cloud access security broker market

Learn about how federated identity can improve cloud security

Find out how attackers are bypassing cloud security providers

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security