The problem is that many cloud apps aren’t as secure as people might think. A study earlier this year by Ponemon found that 50 percent of companies that build and deploy mobile apps for their customers devote no budget to mobile security, and many apps don’t even get tested for vulnerabilities. Of course not all cloud apps fall into this group – there are exceptions – but employees and even Line of Business heads have no way of knowing which apps are more or less risky. They’ll use apps, access and share data, and think they have the full complement of security technologies protecting them that they have within the walls of the enterprise or from proven vendors. This practice, called Shadow IT, and the resulting Shadow Data, prevents IT from gaining the visibility and granular control needed to intelligently protect the organization’s valuable digital assets.
Unsanctioned cloud apps aren’t the only culprits when it comes to exposing the business to malicious attacks. Even sanctioned apps or those that are seemingly secure are vulnerable because they involve user accounts, and user credentials are increasingly used as an attack vector into business data.
So how do we handle the responsibility that cloud computing brings? It’s a responsibility that must be shared among vendors, users, business leaders, and IT security professionals and involves three key aspects.
First, security solutions need to be adaptive and integrated. Security solutions must provide visibility and control everywhere and all the time: across attack vectors, including cloud apps, and the full attack continuum – before, during, and after an attack. This requires that cloud application security be part of an integrated threat defense architecture sharing data across firewalls, email and web secure gateways, and network and endpoint security solutions. Only then can security professionals fully understand the risks of each app, control how users share and access data, and identify and combat malware.
Second, there needs to be greater focus on trustworthiness. Security professionals need to understand what security and SaaS vendors are doing to build security into the heart of their products. Security should underpin all they do and they must verify that these products remain trustworthy through every point in the supply chain that delivers those products to them. And, they should ask vendors to demonstrate that their products can be trusted and to back up their claims contractually.
Third, collaboration across the organization is critical. Security professionals and business leaders must align to ensure the right apps and services are available to meet business objectives and minimize the practice of downloading unsanctioned tools. Processes to request apps and report potential malware must be simplified and actively communicated so that employees are encouraged to and understand how to use the proper channels to minimize risk and expedite response.
The benefits of cloud apps to the organization are undeniable, but so are the risks. By working together and sharing the responsibilities that come with the cloud we can shed light on how apps are being used and where the risks may lie so that we can take full advantage of the possibilities.
Source: Marc Solomon, Cisco’s VP of Security Marketing, securityweek.com