This blog post first appeared in Silicon India.
I didn't know it then, but the 90's were a simpler time for cybersecurity professionals. The Windows system image was alive and well, and securing corporate data was as simple as building a tall, strong firewall. Companies knew exactly where data was, who was accessing it, and from what device.
Times have changed. A company's digital boundary is no longer black and white. Workers store presentations in Dropbox and customer information in Salesforce, right alongside personal texts from their kids and their favorite mobile game du jour.
The reality is that enterprises struggle to keep track of their data. IT is challenged to answer a difficult question: who is accessing which files, when, and from what device? The growing popularity of cloud services make this question more complex than ever.
The No Boundaries Business
The benefits of software as a service (SaaS) are many. SaaS is flexible. The second a company needs more bandwidth a cloud-based service can instantly meet the demand because of the vast capacity of the service's remote servers. Cloud computing services are typically pay as you go, so there's no need for capital expenditure at all. And SaaS increases collaboration. If a company doesn't use the cloud, workers have to send files back and forth over email, meaning only one person can work on a file at a time and the same document has many names and formats.
It's no surprise cloud services have skyrocketed to the top of the CIO agenda for 2015. More than 40% of the respondents to the Computerworld Forecast survey said that their organizations will spend more on SaaS and a mix of public, private, hybrid and community clouds in 2015.
But standard security practices, such as encryption and data loss prevention (DLP) can be complicated in cloud environments because company data is literally everywhere. Not only is it impractical to force all network traffic through a firewall it can be illegal. Would you want to be liable for a workers' entire log of personal mobile phone data? Gone are the days of gating corporate data behind a firewall.
Yet SaaS providers rarely offer robust or customizable security features. Each service provides its own set of security capabilities and policies, meaning enterprises cannot enforce a consistent security model across all SaaS services. This leaves enterprises feeling handcuffed to the standard features provided with a service, or worse, a blanket security model. And workers often use more than one device, making authentication exponentially more complex.
Content-Level Protection to the Rescue
As more systems, applications and data are moved into the cloud, data security requires two-way protection. Companies must have adequate visibility and controls to assess the security posture of both the user (device) and the application (service).
The goal is to make sure business data is being accessed from an approved and uncompromised device. This is a hard problem to solve as more and more devices come into the enterprise every day, all with different operating systems and form factors. Enterprises need solutions that tie this fragmented mobile landscape together and secure services, regardless of whether they are hosted on cloud or on-premise infrastructure, or whether the device is corporate- or personally-owned. Enterprises should know who is accessing what data from what location and on what device without compromising user experience.
User experience is the litmus test for the successful adoption of mobility in the enterprise. It is one of the key factors for the surge in SaaS services because they are beautifully designed and easy to access. That experience needs to be preserved otherwise users will inevitably find ways to circumvent the security controls companies put in place.
A handful of well-funded startups have emerged in the last few years that provide greater visibility into and more granular controls for SaaS services. They aim to match the security capabilities enterprises have for on-premise services. Some even provide service-specific (API- and object-level) controls for popular services like Salesforce where data can be encrypted and stored in the cloud service. While this isn't a particularly scalable model - there are hundreds and thousands of SaaS services - it is a good step towards solving this SaaS security problem.
The Billion-Dollar Security Question
The core premise of cyber security relies on accurately verifying the worker is who they say they are. This is done today with various forms of authentication. Traditional user names and passwords have evolved into four digit PIN codes and even fingerprint sensors. But as the technology evolves, so do the hackers. One group recently broke a finger print scanner in less than 48 hours.
Tomorrow, threats will require more intelligent protection that goes beyond what will become easy-to-break authentication. This will be the great cyber security challenge over the next few years. How do you think we will solve this challenge?