Cloud still requires some blue sky thinking

A guest blog from James Phillips, Senior Marketing Manager at Titus

In the conversations I have with customers around the world, it’s clear that when it comes to data, one of the biggest challenges is being able to see where it is located. Without that critical insight, it becomes exceedingly difficult to control where data goes and what protections should be applied.

What cost, collaboration?

Gone are the days when it was good enough to simply store data on an endpoint or in a data centre protected by a firewall. The profusion of cloud services in the intervening years has definitely increased productivity and enabled collaboration, but at what cost? Control.

The number of external resources used by staff has bloomed. Unsanctioned and shadow IT web services supported by a companion app on often unpoliced mobile devices enable working on the move, which is a necessity for companies looking to a global, mobile workforce to remain competitive. And as the external ecosystem grows, there is not just data traffic up and down between cloud and enterprise but left and right within the cloud as services share data.

The weakest list

For years, when discussing cloud security, the conversation focused only on one thing: access. The idea was that if the business controlled who had access to a particular cloud service (be it public or private), then the information contained therein would be secured. However, high-profile data breaches continue apace. There will be no let up in the medium term. And there are sweaty palms on Mahogany Row. Was it really the air conditioning company that caused the breach? Or was it actually the little cloud app being used by two trusted employees that sprung a leak? As the focus turns to supply chain security resilience, we must vet all the unsanctioned tools that staff use as well as make sure the supplier whose face we know is doing the right thing.

IDC tells us that by 2020 40 per cent* of corporate information will be stored in the cloud. Meanwhile cloud native attacks continue to successfully target weak APIs or ungoverned API endpoints to gain access to data. Are software-as-a-service (SaaS) cloud suppliers being asked about security? Perhaps not as much as they should be. Meanwhile in a recent survey run by McAfee**, 69 per cent of executives surveyed said they “trust” public clouds to keep data safe, and 21 per cent “completely trust” that their data will be secure in the cloud. Is the time bomb about to stop ticking?

Enabled employees and the light of productivity

Every organisation has a rheostat. At one end is security. At the other end is productivity. Security is at its maximum when the resistance is at 100 per cent — but then the light of productivity is off. When the light is at its brightest, productivity is at full speed but the potential cost of the fully enabled employee could be a lucky zero or could spell financial and reputational disaster. Every organisation has to define its appetite for risk and do this as soon as they can before organic growth causes unsanctioned IT to get out of control.

Data governance starts with understanding the risk in a cloud-enabled enterprise. It’s of critical importance for businesses to understand the identity of their data — its level of sensitivity to the business as well as how it is used and shared. A cloud access security broker (CASB) can then control what can and can’t leave the organisation. It can also help you get a take on the unsanctioned cloud resources that are being used. How do they perform against the company’s security rheostat? You can then engage users to make sure they are empowered with safe and reliable tools that will keep the light burning bright, even in the clouds.

Want to find out more about the HANDD and Titus partnership and data classification? Contact HANDD today or read more.

*IDC, The Digital Universe in 2020. Big Data. Bigger Digital shadows.

**McAfee 2018, Navigating a Cloudy Sky. Practical Guidance and the State of Cloud Security

author avatar
James Phillips