Cloud Security:Technologies You Need to Safely Use the Cloud

1

Carson Sweet, CEO & Co-Founder CloudPassage

2

Public infrastructure as a service

Overview: Many companies deploy their own applications, websites and other workloads in public infrastructure as a service (IaaS) and platform as a service (PaaS) solutions because it allows for rapid access to infrastructure on demand and can scale rapidly.

Risk: The security that comes with public IaaS service is not complete as it fails to protect workloads - exposing the company to compliance failures, brand damage, fines, legal liability and data theft.

Infrastructure as a service

3

Technology: There are two categories of security for public IaaS – point solutions and platform providers.

Broader cloud-forward providers focus on the strategic capabilities that transcend any specific cloud provider, similar to CloudPassage's software-defined security.

Point solutions only provide one or two functions; an example would be the SIEM capabilities provided by ArcSight or Splunk.

These few technology providers offer a diverse group of security controls but all focus on securing the workload in the cloud.

IaaS requires the ability to verify integrity of the workload, alert to unauthorized changes, and track for incidents of compromise – details that an IaaS provider would be unable to ascertain but are the responsibility of the business

4

Software as a service

Overview: SaaS providers offer ready-to-use business applications that are available on demand and can scale.

Risk: SaaS providers handle sensitive business information, but your company is still ultimately responsible for its data and should perform due diligence on the SaaS providers. With SaaS, we see common routes to data theft through:

1. Attackers exploiting weak or poorly managed SaaS authentication mechanisms to gain access to user accounts.

2. Weaknesses in application functionality that allow intruders to gain a foothold or extract data.

3. Vulnerabilities of infrastructure that can be exploited.

5

Software as a service

Technologies: The two major focus areas for businesses to address regarding SaaS security are data encryption and user access control.

Data encryption focuses on protecting the end-user data within the service infrastructure with companies like CipherCloud.

User access control focuses on stronger authentication and more effective identity management that collectively protects access to a company's SaaS data, accounts and supporting services. Examples include OneLogin, Okta and Ping Identity.

6

Governance of cloud services

Overview: As companies use IaaS, PaaS and SaaS, they need to have mechanisms in place that will track, monitor and govern the use of these services, which is critical to companies maintaining control of information technology and protecting data assets.

Risk: Without governance, there's a lack of visibility into how company data is being used, where it's being sent and the threats it's being exposed to.

7

Governance of cloud services

Technologies: The governance and utilization monitoring of cloud services is newly emerging. Companies can monitor and set granular policies regarding employee access to and usage of common SaaS, PaaS and IaaS providers, which allows them to mitigate potentially risky data handling in the cloud and cloud data loss protection.

Companies can also control what can be used and done with approved cloud services and report on utilization and activity integrated with identity and access management. Examples of governance of cloud services include NetSkope and Skyhigh.