Optiv Execs: Customers Need To Understand And Secure Their Entire Cloud Application Landscape
Optiv leaders said customers must discover all the cloud-based applications being used in their organizations and put firewalls and access controls in place to secure them.
John Turner, senior director of cloud security at Denver-based Optiv, No. 27 on the 2017 CRN Solution Provider 500, said that individual employees or departments often adopt cloud applications to address inefficient internal business processes or systems, particularly in a marketing or consumer outreach division.
"We've trained our corporate citizens to not click on links and on email hygiene, but we haven't taught them how to be a security professional when it comes to selecting applications," Turner told CRN. "And that's where we sort of need to evolve a little bit more."
Companies looking to secure their ecosystem from sanctioned and unsanctioned cloud apps need to first gain visibility into what's there, which in large organizations is typically done through a cloud access security broker platform, Turner said Tuesday during Optiv's Enterprise Security Solutions Summit in Foxborough, Mass.
Security professionals need to work hand-in-hand with developers to secure individual applications and the landing zone together, Turner said during a breakout session. Building base-layer security will get you about 80 percent of the way there, Turner said, providing some logging, identity controls and facilities from which incident response can be done.
"Security cannot be executed in isolation," Turner said. "Security is really a team sport. It's the only way we're ever going to move things forward. "
Turner said companies should consider injecting firewalls into the applications themselves rather than putting them on the perimeter of the entire cloud. For apps that don't need the full strength of a next-generation firewall – or can't have a firewall put around them, like messaging queues – Turner said an access control list can be a suitable alternative.
"Ultimately, at the end of the day, you need to secure each app as its own," Turner said.
When it comes to Software-as-a-Service apps like Concur or Box, organizations should see if the vendor will provide visibility into the application security and access control models being used, according to Aubrey Turner, client solutions adviser for identity and access management at Optiv.
From there, Aubrey Turner said end users can determine how they want to go about provisioning accounts to the app, doing governance, and certifying access. The access certification process should address not only who has access to the app, according to Aubrey Turner, but also what within the app the employee has access to and how he or she is using the access.
Aubrey Turner said the industry has largely been able to solve federated single sign-on – which allows a single authentication credential to access multiple systems within one organization. As a result, apps that are sample-based can get integrated and stood up in a manner of minutes, Aubrey Turner said.
But Aubrey Turner said issues around governance and the life cycle of identities remains a challenge, particularly as it relates to who has visibility into various workloads, how much visibility they have, and which accounts receive the additional privilege of controlling those workloads. These decisions ultimately come down to having a complete understanding of users and identities.
SaaS application vendors are reacting to the demands for more governance and visibility by providing tehir partners with tools that can be used to obtain more insight into the identities of various users, Aubrey Turner said.
The level of visibility achieved is also somewhat dependent on the complexity of the app itself. For instance, Aubrey Turner said a platform like Microsoft Office 365 with email, messaging, storage and productivity capabilities, is more complex to wrap your arms around than a travel and expense management app like Concur.
As for gaining control over unauthorized apps, John Turner recommended that businesses take a step back and assess which internal processes and policies are driving employees or departments to use external systems. And if virtually no one is using the company-provided app or interface, John Turner said there might be another option out there that would be a better fit.
"At the end of the day, it's a lot about wrangling cattle," John Turner said. "You don't put a leash on 1,000 head of cattle and pull them together. You've got to make them want to go in a particular direction."