Everyone uses the cloud. It is a plain, simple fact that everyone uses at least one consumer cloud and that those consumer clouds (iCloud, Google, Dropbox, etc.) translate into cloud usage within the workplace. The workforce likes to get its job done, and part of doing that is using the tools they know, regardless of how IT feels about everything. In the past, IT would block access to those consumer-grade tools with the mistaken thought that they were not secure, that data was leaking, or that they were just plain bad to use. That is not the opinion of the workforce. IT did not substitute anything in place of those tools, so in many cases, IT became marginalized, shadow IT propagated, and we are now behind the eight ball when it comes to having a solid plan on how to handle the cloud tools. Because the workforce uses these Software as a Service (SaaS) tools, we are working within the world of the hybrid cloud.
My definition of hybrid cloud differs. People talk about public vs. private cloud or using hybrid cloud in some organized fashion. I believe that anytime we access a SaaS, PaaS, or IaaS from a public resource (such as public Wi-Fi, LTE, 4G, etc.), we are in effect using a hybrid cloud model regardless of where the data lives. Embrace the thought and accept it. The world is not public or private, but hybrid. We may never move from a hybrid cloud, but with the introduction of the Internet of Things, the world became a whole lot more hybrid. Cars use public Wi-Fi. They are themselves within public spaces, yet they use services presented from SaaS and from the automobile manufacturer’s own data centers. A car is a perfect example of a hybrid cloud.
There is a twelve-step program available for those who do not think their organization uses the cloud. At the recent Cloud Security World, I spoke on securing the hybrid cloud, but it really starts with one statement:
- Admit your organization is using the cloud. Yes, stand up and say it: “We use a hybrid cloud.”
Once those words are spoken, you can then go to the next step. Accept you have a cloud problem:
- Say it loudly and embrace it: “I have a cloud problem!”
Okay, now that we have that out of our system, there is one other item to do:
- Say it out loud and embrace it: “There is no more perimeter! My Data Is Everywhere!”
If you can embrace these messages, then you can finally start working toward a solution. You can start looking at tools that will help you to find the proper answers. But until all parts of IT, from management on down, admit they have issues, they are fighting a losing battle, and breaches will continue to happen. Until users know how to use their clouds wisely, data will still leak out. There are two major issues here:
- Users and how they use their clouds.
- IT and how it manages corporate data.
It is no longer about the system, but is now about the data. How can I protect the data that may no longer be within systems I control? So, in essence, we need to protect the data. Furthermore, we need to know who accessed the data, when it was accessed, what was accessed, from where it was accessed, how it was accessed, and hopefully, why it was accessed.
There is a class of tools that can assist with this discovery and even log data as appropriate, but until you realize a problem exists, no one would think to implement these tools. They are:
- Skyhigh Networks, with its reputation-based rating of various cloud services. If your users are going through your network, you can see what they are using and the reputation of that service. Skyhigh Networks also can restrict access and provide logging.
- Elastica, like Skyhigh Networks, detects services in use and can restrict which are in use while providing logging when used within your network.
- Skyfence is like Elastica in that it detects services and provides logging when used within your network.
- Adallom is a cloud service that hooks into the cloud services SSO to redirect traffic through its set of transparent proxies.
All of these tools can be used to add fine-grained role-based access control around data access within a cloud service; to log who did what, when, where, and how; and to detect what services are in use.
The real question is, are you ready for these tools? Are you ready to realize that not all traffic will flow through your network, but instead will go direct to the service? There are no more perimeters. There is only the hybrid cloud: the basis for the software-defined data center. There is only the need to protect your data in some fashion. If we understand this, is there a need to know where your data resides?