The cloud is here to stay — and so are its benefits and risks. The key for organizations of all sizes is to maximize the advantages of the cloud while minimizing the threats inherent to the cloud and all IT systems. Selecting among cloud service and third-party security options can be overwhelming. With the right approach, your cloud data and processes can be even safer than your endpoint devices. The third and final post of this series gives some general advice for a more secure cloud. For a full discussion of what you can do to keep your cloud systems safe, please read our whitepaper that’s linked to the bottom of the page.
Success in the modern business world is all about finding the right partners and specialized services to help you take your organization to the next level. This is more than a cliché, especially in cloud computing. As in-house IT staffs are asked to do more with less, finding the right cloud service can unlock key competitive advantages. But recent cyber security breaches (like the ones reviewed in the second post of this series, “The cyber threat forecast: cloudy with a chance of malware”) show that there is a big downside to outsourcing your processes and forgetting about them.
The Shared Responsibility Model demands that organizations do their part to keep the cloud safe in terms of both who and what can access your processes and data. The first step is picking the right level of service to meet your needs (which was reviewed in the first post in this series, “What is the Shared Responsibility Model in cloud-based services?”). The second step, is picking a service provider and third-party security solution that work with your in-house security capabilities. Ideally, your partners’ capabilities should complement and compensate for your in-house weaknesses — and without introducing new types of problems. Here are just a few general tips to help you achieve the best cloud service experience.
Don’t just rely on built-in security features
The basic security measures of software as a service (SaaS) providers like Google, Salesforce, Facebook, or Microsoft will often protect you from security breaches. But these rudimentary features are insufficient for security professionals aiming to uphold their obligations under the Shared Responsibility Model.
For example, many services block the most suspicious repeated login attempts. But if someone does gain unauthorized access to your cloud services using your login credentials or devices, you are at fault. This is true according to any version of the Shared Responsibility Model.
Similarly, when users encounter links within a SaaS context to a potentially malicious external website, the service will alert those users that they are leaving the safety of the service. But what if a user fails to heed the warning? Once again, the Shared Responsibility Model makes clients responsible for malicious content — and any harm that content may cause.
Even the best SaaS security is no replacement for good habits like using multi-factor authentication and being skeptical of strange links or files. But these foolproof institutional policies are just the start. You may also strongly consider additional security measures such as antivirus software for endpoint devices and perhaps even firewalls or cloud access security brokers (CASBs).
CASBs: an imperfect category of solution
The logic behind CASBs is promising, especially for enhancing SaaS security. By intermediating the flow of data between endpoints and the cloud, these proxy services prevent everything from malware infection to unauthorized users accessing your precious cloud. However, CASBs present several challenges.
The additional security layer provided by a CASB is beneficial, but downtime of a CASB server means a total loss of this security layer. Perhaps worse yet, your cloud services may be inaccessible when your CASB is unavailable.
This additional layer also requires your IT personnel to be responsible for ensuring all of your colleagues are using properly configured devices. This means your security professionals are responsible for coordinating CASB credentials as well as cloud service credentials — on top of additional digital certificates and proxy settings. In short, CASBs generally provide additional security, but with a significant burden.
Native applications: a straightforward additional security layer
The many headaches that come with external third-party solutions like CASBs become obvious when compared with the ease of robust native third-party security applications like F-Secure Cloud Protection for Salesforce. This class of security solutions has one key advantage with a series of related benefits — native security solutions operate from within the SaaS cloud.
When a security application and SaaS are within the same cloud, the security application is always available when the SaaS is available. Downtime will still happen, but it will be simultaneous downtime of both services and will not leave you vulnerable.
Additionally, native security applications are designed to work with a specific SaaS. These are not broad cross-platform solutions, but highly specialized solutions that meet the security needs associated with a specific SaaS. Native security applications are often designed in collaborations between the cloud provider and security firms like F-Secure. This perfect marriage of expertise means the security measures are designed to complement the inherent security vulnerabilities of the SaaS without disrupting the user experience.
This basic advice for SaaS security is just the tip of the iceberg. When one bad breach can mean the end of your business, it is essential that you do your homework before deciding on an SaaS and the right security solutions for safe, reliable use of that service.