Feb 27 2019

Cloud Security Should Reduce Friction for Users

Organizations need to protect both SaaS and IaaS environments, a McAfee expert says.

More data is moving to the cloud and organizations need to secure it. 

According to Cisco Systems’ “Global Cloud Index” report, cloud traffic will grow 3.3-fold from 6 zettabytes in 2016 to 19.5 zettabytes in 2021. For a sense of scale, 1 zettabyte equals 1 trillion gigabytes. 

By 2021, cloud services will account for 95 percent of all data center traffic, up from 88 percent in 2016. That's not surprising, since, according to the report, more businesses and users will access cloud-based services on their devices. By 2021, 94 percent of all workloads and compute instances will be cloud-based, up from 83 percent in 2016.

And more of those cloud services will run on public cloud infrastructure, according to the Cisco report. Globally, the percentage of cloud services running in public clouds from Microsoft, Google and others will increase from 58 percent in 2016 to 73 percent in 2021.

Cloud is unique and “truly transformational” because it is not IT-driven but instead driven by businesses units and IT teams need to react, according to Kaushik Narayan, vice president and CTO of the cloud business unit at McAfee.

Speaking this week at the CDW Protect SummIT in Phoenix, he said “the notion of friction is important” when it comes to cloud security. “How do you go about building capabilities so businesses and users do not see any friction?” he asked. 

JOIN-THE-CONVERSATION: Follow @BizTechMagazine on Twitter for continued CDW Protect SummIT coverage.

Organizations need to protect Software as a Service applications and environments to ensure that users are not impeded from using apps, Narayan said. Meanwhile, they must be even more vigilant in Infrastructure as a Service environments and ensure they have visibility into configurations and data usage, he said. 

How to Manage Cloud Security in SaaS Environments

The first thing organizations need to determine to secure SaaS environments is which apps house critical data, according to Narayan. “Where is the cheese? Where is your sensitive data?” he said. 

Narayan said 65 percent of cloud data is in the most popular SaaS apps, like Office 365G Suite, SalesForce and ServiceNow. These SaaS providers protect their own infrastructure, but IT security leaders are responsible for protecting their own data that flows into these apps. They need to focus on the lateral movement of data and when users share data with those outside the organization, Narayan said. 

One way to do this is contextual access control. IT teams can block the sync or downloading of corporate Office 365 data to personal devices. Organizations should also invest in advanced threat protection to detect compromised accounts, insider/privileged user threats and malware, Narayan said. 


Ultimately, Narayan said, organizations should keep in mind that “frictionless solutions are key to success” and that cloud security tools “cannot impede the user experience.” 

Friction slows down usage, and protocols shared between the client and server start to break. He urged security solutions to be cloud-native. 

Organizations also need operational integration with their enterprise data protection stack, he said. “You don’t want to protect data in the cloud differently than data in your enterprise,” he added. A key element of that is end-to-end data protection that is tied to endpoints and web browsers. 

“Your CISO and your IT organization will demand of you that you do this with the staff you have in place,” Narayan said. One way to do this kind of security continuously and easily is to use a self-service SaaS or application catalog system that allows IT teams to add security for apps on a continuous basis. 

VIDEO: Discover what a CASB is and why it’s important for your business.

Be Vigilant in IaaS Cloud Environments

In IaaS environments, the exposure for an organization is “much more significant,” Narayan said. Not only are apps in the cloud, but so is the organization’s virtual network and infrastructure. “You are responsible for a lot more,” he noted. 

Taking a developer/DevOps-centric model is key to IaaS security success, Narayan said. In the world of “infrastructure as code,” in which developers are pushing out updates twice per day, it is crucial to manage configuration drift, or the ways in which the code is being changed. Enforcing security controls to maintain compliance standards in an environment that is changing all the time is difficult and requires discipline, Narayan said.

Organizations need to integrate security into the DevOps process, and the solutions must work in multicloud environments, he said. 

Check out our event page for more articles and videos from the CDW Protect SummIT.

akindo/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT