Today's guest blogger is Kevin O’Brien, Director of Product Marketing at CloudLock. Kevin heads up Product Marketing for the cloud security vendor (and our partner!) CloudLock, and has been part of the security community for more than a decade, having gotten started doing reverse engineering and penetration testing in the early days of @stake in Cambridge, MA.
Over the past year, a discussion has kicked off amongst industry experts about just what effective security looks like in the cloud, and how it is both similar to and fundamentally different from the top-down control-based approach that IT professionals have been working with for the past 20 years. In essence, there are two reasons why traditional security thinking has failed to keep pace with the changes that the cloud revolution has carried with it: the first reason is practical; the second is philosophical.
In terms of the former, the argument is simply that the level of effort required represents a massive waste of time, disproportionate to the risks that are actually posed by cloud platforms. Consider the work day of a typical user in a cloud-friendly environment: I sat down in front of my computer this morning and checked a third-party to-do list app on my iPad, that has OAUTH-based access to my Google Calendar, reminding me that I needed to put together some thoughts around cloud security for the SADA Systems blog. I opened up a third party mail client on my phone to check some notes I’d exchanged on the subject -- an app which again has permissions to access my Google Drive and Google Mail environments. As I pulled together my thoughts, I opened Chrome on my tablet, where my bookmarks -- including a link to a presentation on security that I saw at the Gartner event a few weeks back -- are automatically synchronized between my laptop and mobile devices.
Does this workflow put the company at risk? Absolutely not. These are examples of highly efficient business applications that let me work more effectively, and I was freely able to select the ones that maximized my ability to work effectively and efficiently. And I'm not alone in working this way, either.
As of June 2012, over 750 million apps had been installed by users from the Chrome store alone. Imagine if my IT team had decided on a "blocking" approach to the cloud, such as web filtering or tokenized encryption. One can imagine how much of their time would be spent tracking down every new potential application or website that I might use, and ensuring that it was inaccessible. Nothing technology-focused would ever get done, and to what end? All that time and effort would immediately lower my real productivity and reduce my ability to work, in order to reduce theoretical risk from some nebulous "evil app" that may or may not even exist.
More importantly, by blocking or encrypting every piece of data in our cloud platform, this excess of vigilance will almost certainly give rise to a "shadow IT" organization of technical end-users who would help the team find and work in environments where the apps that drive productivity were not blocked. Instead of increasing security, these misinformed approaches decrease it.
Thus the second reason: why the idea that increased controls lead to increased security is flawed. At its core, this conversation is not about apps, data encryption, or even really about security. It's about the role of IT in a world that is no longer manageable from a single network, top-down IT perspective. There are forces at play here (canonically, mobile, social, cloud, and big data) that have changed the rules of the game for users, and the very concept of "locking down" access is no longer feasible. Users have a tremendous number of ways of gaining access to their work-related data, which is a good thing. However, what was sensible security in the 1990s and early 2000s is outdated thinking today; a new model is needed.
At CloudLock, we are strong believers in the “people-centric security” model, which is predicated on the seemingly paradoxical belief that security is in fact improved by reducing the number of controls that are applied to end users. Especially true in a cloud environment, the this concept was originally surfaced by Tom Scholtz, a Research Vice President at Gartner, in late 2012, and has begun to find traction in the industry. It hinges upon rapid detection of data risk, but rather than addressing discovered incidents by locking down users and their ability to self-select ways of working that are effective and efficient, it proposes an accountability model wherein the offenders are educated as to what happened and how to prevent it in the future.
Working closely with SADA Systems, we at CloudLock have helped many of the cloud ecosystem’s largest organizations and customers implement people-centric security platforms.
Looking for more detail on how CloudLock views the role of security in Google Drive? Download their free whitepaper that provides in-depth steps to identify, classify, and secure PII in Google Drive (Docs), including:
Credit card numbers
Social Security numbers
Phone numbers, addresses, and other sensitive data using custom
regular expressions for pattern matching
If you're interested in learning more about how our Google Apps services work in conjunction with CloudLock, visit our website!