Cloud Adoption Done Right Transforms Security Pros from Productivity Foes to Friends
As a long-time IT practitioner, I have seen (and contributed to!) my share of organizations whose security offices have taken a hard-line “No” approach on cloud adoption. “We can’t adopt the cloud because it’s [not secure | not secure enough | not as secure as on-prem].” I realize now that each of these organization’s security offices had something in common; we were all acting with what we believed was our organization’s best interests in mind. Not a one of us came into work and said “We’re blocking cloud because we hate innovation. Also, puppies and freedom.”
But as I continue to have these discussions with security officers (full disclosure: now as a vendor for a Cloud Service Provider), I have begun to formulate a new theory. While we, the Security Professionals, have all good intention in our stances on cloud adoption, we may in fact be harming our organizations’ overall security postures in the process.
Let me explain. Cloud Service Providers of all sizes and stripes (including my own employer) have made it super-easy to virally adopt cloud services. In many cases you don’t even need a credit card. Just provide a valid email address and away you go with the “Personal” or “Team” version of a collaboration suite, cloud storage solution, or something similar. As a security professional, there is (almost) no way that I can prevent individuals within my organization from doing this. (I mean, I could do it if I were really draconian with my firewall rules…oh, wait, mobile devices, I may be foiled…) As a security professional, if I choose to adopt a strategy of “visibility and policy” rather than “block” I have an opportunity to be a part of my organization’s cloud adoption strategy, rather than risk being shut out from it entirely.
Through the use of tools like Cloud Application Security Brokers (CASBs), security officers can get visibility into which cloud applications are in use throughout their organization, whether their use has been corporate-sanctioned or virally-adopted. There was an old after-school cartoon with a motto about knowing being half the battle. By developing situational awareness into my employees’ cloud application usage, I can take a first step towards ultimately securing that use.
Even beyond security, taking this kind of approach allows the Security team to become a partner with the business, rather than being perceived as an “enemy of productivity.” If your CASB tells you that fully half of your employees are using a non-sanctioned collaboration tool rather than the service offered by your organization’s IT department, you have two choices:
- Get mad. Block firewall ports.
- Ask the question, “Why?”
Choosing Door Number Two can lead to some interesting results. Is your internal system too slow? Is it not available to the mobile workforce who make up 50% of your employee base? Not mobile-friendly? What would happen if you positioned security data as having benefits to IT Operations and employee productivity? As a way to make your company’s IT organization…a more effective provider of IT services?
In our industry, there is an old trope about how “security” and “usability” exist on a single big dial. In order to ratchet one up, you must dial the other one down. I am a big proponent of finding solutions that allow us to improve both security and usability for IT organizations, and investing in cloud adoption the right way can allow us to do exactly that.
By Laura Hunter, Principal Program Manager at MicrosoftView More Posts