Optiv leaders said customers must discover all the cloud-based applications being used in their organizations and put firewalls and access controls in place to secure them.
John Turner, senior director of cloud security at Denver-based Optiv, No. 27 on the 2017 CRN Solution Provider 500, said that individual employees or departments often adopt cloud applications to address inefficient internal business processes or systems, particularly in a marketing or consumer outreach division.
"We've trained our corporate citizens to not click on links and on email hygiene, but we haven't taught them how to be a security professional when it comes to selecting applications," Turner told CRN. "And that's where we sort of need to evolve a little bit more."
Companies looking to secure their ecosystem from sanctioned and unsanctioned cloud apps need to first gain visibility into what's there, which in large organizations is typically done through a cloud access security broker platform, Turner said Tuesday during Optiv's Enterprise Security Solutions Summit in Foxborough, Mass.
Security professionals need to work hand-in-hand with developers to secure individual applications and the landing zone together, Turner said during a breakout session. Building base-layer security will get you about 80 percent of the way there, Turner said, providing some logging, identity controls and facilities from which incident response can be done.
"Security cannot be executed in isolation," Turner said. "Security is really a team sport. It's the only way we're ever going to move things forward. "
Turner said companies should consider injecting firewalls into the applications themselves rather than putting them on the perimeter of the entire cloud. For apps that don't need the full strength of a next-generation firewall – or can't have a firewall put around them, like messaging queues – Turner said an access control list can be a suitable alternative.
"Ultimately, at the end of the day, you need to secure each app as its own," Turner said.
When it comes to Software-as-a-Service apps like Concur or Box, organizations should see if the vendor will provide visibility into the application security and access control models being used, according to Aubrey Turner, client solutions adviser for identity and access management at Optiv.
From there, Aubrey Turner said end users can determine how they want to go about provisioning accounts to the app, doing governance, and certifying access. The access certification process should address not only who has access to the app, according to Aubrey Turner, but also what within the app the employee has access to and how he or she is using the access.