My last blog described the implications of cloud computing going mainstream and its impact on the workforce. Picking up on that theme, Software as a Service (SaaS)-based applications are increasingly the way organizations can quickly and easily leverage new applications. There is tremendous growth and innovation in this area; AngelList lists more than 11,000 SaaS startups in the U.S., and IDC predicts the SaaS-based market will surpass $112 billion by 2019.
Protecting Sensitive Data
What about working to protect sensitive data and the use of SaaS-based applications? In this case, it is likely that sensitive data will be stored and controlled by the SaaS provider and used by an organization’s customers or partners so that the data never comes in contact with the organization’s network, firewalls, or any other security device or process controlled by the organization. This situation gives CIOs and CISOs significant concerns, as SaaS applications can leave leaders with little visibility and control regarding the security of the application and its data. So how does an organization extend its security policies and controls to public clouds and SaaS applications?
Cloud Access Security Brokers (CASBs)
This challenge has given rise to what are known as cloud access security brokers (CASBs), products that serve as security enforcement points sitting on premise or in the cloud. CASBs logically exist between the organization and the cloud service provider to provide a range of services, including identity authentication and authorization, device profiling, application whitelisting, encryption, alerting, and malware detection. Some of the leading vendors in the CASB market include Bitglass, Blue Coat/Symantec, Cloudlock/Cisco, and Skyhigh Networks. The use of CASB solutions is growing rapidly, with Gartner Group reporting that by 2020, 85 percent of large organizations will use CASB solutions, up from fewer than 5 percent in 2015.
On the positive side, the CASB vendors have significant capabilities and are filling a void in the market. As a former CIO, however, I have a jaded view of trying to solve enterprise IT security challenges by continuing to add tools and then working internally to integrate them. I have rarely seen this strategy work well because of the added operational complexity and the need to train staff on another product.
Integrated Security Platform Solutions
As such, I have become a proponent of the view that the best approach to address enterprise IT security challenges is the use of an IT security platform that provides a range of capabilities to help prevent and, when necessary, detect breaches in the enterprise. In this market, Palo Alto Networks, Cisco and Check Point Software provide integrated platform solutions (disclosure: I am member of Palo Alto Networks Public Sector Advisory Council).
As an example of the value of a platform, Palo Alto Networks has recently extended its platform capabilities into cloud solutions and SaaS applications. What is particularly intriguing (and operationally appealing) is that I can set my security controls for a type of data (for example, tailoring the controls according to the data’s sensitivity), and the technology enables me to enforce those policies throughout its platform, regardless of whether that data is residing in my own data center, an outsourced data center or in a SaaS application on a public cloud. This method greatly simplifies security policy administration throughout an enterprise and offers advanced threat prevention. Furthermore, one of the growing exploits used by attackers aims to infect users through malware via SaaS-based applications, since adversaries know that most organizations do not have the ability to monitor those SaaS applications the way they do internally-based applications. A key component of these platforms is the ability to bring threat detection and prevention capabilities to all aspects of the IT infrastructure and applications, including those residing in the cloud.
The use of SaaS-based applications is becoming a preferred approach for rapidly delivering new capabilities for organizations. The demand is coming from the business users, and, as such, IT organizations must accept and plan for continued expansion in the number and use of SaaS applications. Accordingly, IT organizations need to develop a comprehensive approach for addressing the security challenges that come with relying on third-party computing and applications, even though the user and data may never traverse the organization’s network or data centers. Further, IT organizations must develop the skills of their security staff to help evaluate, implement and effectively leverage the use of advanced security products, such as CASBs and integrated security platforms.