Protecting The Business From Cloud Application Security Risks


All groups within an organization, including those that work in sales, IT and even the executive team, are using cloud applications. First, to make sure everyone is on the same page about what a cloud application is, I'll define it as deriving utility from an Internet-based application not built or managed by an organization or even hosted on their premise. These applications help make companies more productive, keep employees working while not in the office and allow for better collaboration between prospects, clients, partners, employees and vendors.

However, there can be major security issues that come along with using cloud applications. Organizations exist because of their talent, intellectual property and much more. Once this private information leaves the organization's protection or security and is publicly available, it can compromise the profitability and product plans of the company. There is the potential for data leakage with cloud-based applications, and some, such as file-transfer and data management apps, introduce another avenue through which threats can enter the corporate environment.

How does an IT organization deal with this problem? First, an organization needs visibility into these applications. This visibility requires the use of newer technologies, such as next-generation firewalls that have the ability to accurately and dynamically determine the application and its functionality in real-time. Organizations are being misled by some older technologies that claim to identify applications but don't.

For example, I might see port 80 traffic and think that's Web browsing, but I would be wrong. The majority of applications are using HTTP as their medium, and traditional firewalls have these ports open, so applications develop toward the path of least resistance and greatest adoption. Next- generation firewalls deliver the visibility needed to allow an organization to understand its environment and then properly react and control access and content. This is what one vendor calls "safe application enablement" on a per-user or user-group basis. Legacy port-based firewalls, proxies and standalone IPSs don't enable this type of visibility, regardless of their marketing claims.

Organizations can also benefit from having their IT department perform an assessment of the cloud-based applications being used in their environments. They can then determine what technologies they have and what they need to implement to offer employees a secure method to accomplish business-critical tasks while minimizing risk for the organization.

For instance, consumer file-sharing applications like Dropbox, SkyDrive, and iCloud are very popular, but they aren't enterprise-grade. They can be replaced with a system designed for the enterprise that will keep the data on-premise and provide similar functionality with better security, administrative tools and the ability to originate and edit office documents within its secure container. Giving your users the proper tools will eliminate the need for them to go out and find their own methods, and negate the instances of end users working around IT-provided systems. Controlling employees' ability to use certain tools through the use of technology implementation, not just a written policy, is a must.

This "safe application enablement" applies to all cloud-based applications, including social media, instant messaging, online storage, and audio and video streaming. An organization can choose to leverage those tools, but it needs to ensure it is enabling them for the right users, at the right time and only with the necessary functionality, while also scanning for threats and data leakage when these apps are in use.

Companies need to be able to utilize the flexibility that cloud applications offer them and their employees, without worrying about security risks that could impact business productivity and revenue. By implementing secure, business-ready cloud-based technology, employees and executives will be more productive, and better able to contain any security risks.

Christopher Willis is the director of security solutions at Sayers, where he leads the organization's engineering talent and partner relationships.

PUBLISH MAY 28, 2013