By Adrian Kitto, chief technology officer, Detexian
You’re in a multi-cloud world even if you don’t realise it. Although your focus might be on the big players like Microsoft Azure, Amazon Web Services (AWS) and Google Cloud, it’s a fair bet you’ll have a growing list of Software as a Service (SaaS) tools in your application stack. And you may not even know what SaaS apps your business is using. That means important business data is distributed across multiple service providers and makes protecting your data and understanding where your risks lie can be challenging.
When you’re thinking about your multi-cloud footprint, you need to think about your infrastructure, platforms and applications. Recent data from IDC found that 58% of Australian businesses use SaaS solutions with Gartner reporting that many businesses had dozens of different cloud apps and services in use at any one time. That means data is being spread far and wide, often with scant understanding of what controls are in place to protect their data. And while the service provider’s infrastructure might be secure, businesses might not have the tools and skills to use that infrastructure securely.
And despite Amazon saying during a recent Dev Day event that businesses achieve their “best success” when they “choose to work with the cloud provider of their choice,” the reality is that organisations acquire cloud services as needed and they end up becoming multi-cloud either by design as they choose best of breed solutions or organically as they add applications as needed to solve point-in-time challenges.
The multi-cloud world is the real world
Many organisations do choose a single Platform as a Service (PaaS) provider but those systems can be linked to SaaS solutions as businesses connect data from core platforms to CRM systems or applications such as MailChimp. Those integrations between systems mean data moves and is copied between systems with different security settings and options. That can make it challenging to understand where your data is.
Organisations usually have a good handle on where their structured data is held. Core systems are usually well understood and even if the business doesn’t know exactly what data they have, they know where it is. But understanding the business criticality and sensitivity of that data can lag.
Classifying data so that understanding what is important and choosing what controls need to be in place to mitigate risks of it being incorrectly accessed or used can be challenging. They often know what data they need for their business to operate but aren’t fully aware of the sensitivity of that data. And each business unit might have different perspectives on what’s critical and sensitive. The views of the HR team will differ from those of the logistics department when it comes to what data is most critical. But these diverse views aren’t wrong. There are many factors that affect the operations of a business.
Shared responsibility
When it comes to the cloud, data protection is shared. Service providers have a role in providing suitable controls, but it is up to the customers of cloud providers to enable, monitor and adjust those controls. Gartner states, in their “Innovation Insight for Cloud Security Posture Management” report, that almost every data breach on the cloud will be the result of customer misconfiguration and mistakes.
Although this sounds simple, the evolution of features and controls in SaaS and other cloud systems is moving faster than customers can keep up with. Many of these systems are sold directly to line of business users, bypassing traditional internal purchasing channels where questions about data protection are asked. And the regulatory environment is also changing as different countries create new laws. As a result, settings that may have been appropriate in the past are no longer suitable.
The GRC triumvirate – Governance, Risk, and Compliance – is struggling to keep up with a multi-SaaS world.
Death to point solutions
The Australian Signals Directorate (ASD) suggests businesses follow an “Essential Eight” security controls. Applying those across dozens of SaaS solutions requires substantial effort. What’s needed is tooling that allows businesses to apply the options for things like Privileged Access Control and Two-Factor Authentication and ensure they are maintained.
We are moving away from point solutions when it comes to cloud security. Cloud security posture management is evolving, with businesses setting the rules and policies they require to guard against their risks and then ensuring the correct settings are applied across all the SaaS solutions they employ.
The future of SaaS security will require clear dashboards that are focussed on business risks and ensuring the right controls are set and maintained. Knowing what data, you have and where its located is just the first step. In a multi-SaaS world, setting and monitoring the right controls will require new tools as data becomes increasingly distributed.