What customers' employees do within web, cloud and social apps can be a significant threat to their business. We look at how they can limit the risks.
We recently took a look at vendors’ web security offerings, and came to the conclusion, in this post, that much of this risk landscape is being driven by employees and their ceaseless interactions with the raft of web, cloud and social media applications on which so many agile business processes now depend.
As this excellent piece in ITPro explains, it is now imperative for businesses to “understand exactly how data is moving in, around and out of your organisation”, and to provide the “visibility and the ability to discover, analyse and control the information staff are accessing or sharing.”
Whether businesses are updating marketing posts on Facebook, drilling down into Salesforce, uploading price lists to Dropbox, liking comments on Twitter, or using cloud data storage applications (as some 52% of small and medium-sized businesses in the US alone seem now to be doing, according to this Cloudwards article), the potential for both intentional and unintentional data compromise or reputational damage is high.
So how do security vendors tackle this end-user challenge, and create cloud application control solutions that MSPs and other partners can sell and provision to customers profitably?
Cloud application control: the all-seeing-eye?
The first thing to say here is that cloud application security is not simply about automatically blocking malware, or filtering out clicks on risky URLs, or scanning for abusive language.
Rather, it is about being able to visualise and analyse all users’ application activity simultaneously and in one place, make informed human business risk decisions on it, and, where necessary, change parameters and automated settings to suit.
So, for example, why is a user uploading or deleting a profile image? Are they trying to hide their identity?
Why is someone removing a public link – was something there that should not have been exposed to public view in the first place? If so, how do you address the process failure that allowed such a link to then be posted?
Why is someone permanently deleting files from a recycle bin – are they trying to cover their tracks? For what reason?
With or without malicious intent, these are potentially damaging behaviours – but it takes a human eye to assess them, and that can only happen if all relevant information and alerts are assembled in one dashboard, where they are easy to interpret, at minimum management overhead.
Cloud application control consoles are therefore critical, enabling end-user and MSP alike to monitor and manage both users’ behaviours and the service that is being delivered.
Cloud app control – it’s not everywhere
Yet take a look at the “Treacherous 12” top cloud computing threats recently listed by the Cloud Security Alliance at the recent RSA Cybersecurity Conference, as reported in this Infoworld article, and it hardly paints a picture of a cloud application risk landscape that has been comprehensively tamed.
On the one hand, this presents a healthy sales opportunity for MSPs, who can deliver cloud application control solutions as an inroad into new clients.
But it also provides MSPs with a means of protecting themselves against the ever more litigious risks associated with other cloud applications that they already deliver to their customers.
To give just one rather urgent example, according to this TechTarget article some 75% of all cloud apps used in European enterprises are out of compliance with the new EU data protection regulations that are set to take effect in less than two years – and any MSP providing or provisioning them will be liable, as the incumbent “data processor”, for any security breaches sustained.
Overlaying cloud application control on these existing apps could help to significantly reduce many MSPs’ exposure to this kind of risk, or at least expel any ambiguity as to what is a breach occasioned by vulnerabilities in the application itself, and what is a breach caused by risky operator interaction with the cloud application environment.
Who sells cloud application control solutions?
Unsurprisingly, these factors (and others) have encouraged industry analysts to comment enthusiastically on the projected rise of cloud application-specific security solutions. Channel Pro, for example, has cited Gartner’s statement that, in 2016, 25% of enterprises will use a cloud access security broker.
But this presents something of a difficulty, given that there are actually so few vendors producing solutions in this space.
One player that has broken the mould, however, is CensorNet, and for good reason. It has developed a cloud app control solution that hits on all the critical MSP hot buttons at once – it is white-labelled to boost the MSP’s brand profile, can be up and running without infrastructure costs, is deployable in minutes, and offers stellar system performance and scalability thanks to its proxy-less architecture.
Yet one swallow does not a summer make. Can MSPs take cloud application control mainstream with so few vendors in the frame?
Put it this way, they’re going to let down a lot of customers if they don’t. Consider this: the average employee already accesses seven different web applications at work, but according to one recent article, 58% of respondents had no training in how to use those apps safely, 39% were unaware of the risks associated with them, and 44% hadn’t been trained in how to transfer and store corporate data securely.
Add to that the revelation, in the same article, that 23% of respondents have already experienced cloud data losses or breaches, and 20% have reported unauthorised access to their data or services, and the need for organisations to understand who is doing what in the cloud, to what, and why, is no longer a nice-to-have – it’s a critical imperative.
Over to you, MSPs...