Visibility is a Prerequisite to Security

Last night I watched a fantastic episode of This Week in Startups with guest Aaron Levie of Aaron is a remarkable young CEO who really seems to understand and care about enterprise software, which is a rare combination.

One of the themes of the interview was that CIOs and IT departments at large organizations are starting to embrace the cloud, bottom up and top down.

He also noted that Fortune 500 companies are starting to develop or acquire cloud solutions to put in their portfolios (e.g., Oracle buys RightNow, SAP buys SuccessFactors). Cloud, cloud, cloud.

Then, about 23 minutes into the interview, the elephant in the room rears its giant head: but what about security?

Even the most progressive enterprises, Aaron remarks, have the philosophy: use any device you want (Mac, PC, iPhones), use any software you want, but secure the data at all costs.

They’d be foolish not to. We’re not talking about MP3s and funny cat photos. We’re talking about intellectual property, source code, patents, legal and HR documents, etc.

As the definition of “secure” evolves, every IT organization is faced with hard decisions.

We have to have a security model that fits today’s distributed work model. What is the correct balance between security and efficiency? Between availability and lockdown?

Levie goes on:

We have to redefine what it means to be secure and what it means to manage security. Then you move more into this category where visibility is security. If I have far more visibility into where my data is, who’s using it, every access, every event on it — maybe it’s a little more open, but people will use the product and I’ll actually see what’s going on with the data.

Visibility–by itself–is not security. If I put my company’s financial statements and intellectual property in the cloud and have complete visibility into who is accessing that data, all that would guarantee is that I could watch people steal it.  Imagine if banks just installed security cameras and declared themselves secure. Assuming the security tapes and audit trails are actually being used to catch and address undesirable activity, auditors call these “detective controls.”

More accurately, visibility is a prerequisite to security.  Detective controls are a critical piece to the puzzle – they allow you to intelligently configure “preventive controls” and make sure they are working as intended. The combination of detective and preventive controls help you prevent catastrophes and detect what you’ve failed to prevent altogether.

Truly secure organizations build policies, procedures, and controls on top of visibility, including entitlement reviews, data loss prevention, content classification, defensible disposition, eDiscovery, disaster recovery, and many more.  These systems for preventing and detecting security problems have taken years to mature.

This blueprint will be required to reach a similar level of maturity in the cloud.

If you’re getting ready to move business data into the cloud, consider asking these questions:

  • Even if one cloud provider gives you complete visibility into accessibility and usage, how do you integrate it with your existing infrastructure? Other cloud data?
  • Visibility into access controls and usage aren’t the only control you need, either. Content inspection, business continuity and disaster recovery, retention policies, authorization processes—all these need to be addressed.
  • IT knows how hard it is to standardize these controls on infrastructure that’s been around for years and is completely under their control— cloud vendors are still figuring this out, their control capabilities vary greatly, and each vendors interface may be well be different.
  • Organizations need to set a minimum standard of controls for every platform, cloud or on-premise.  Access control visibility and automatable execution of changes, complete auditing that can integrate with other technologies, content inspection, automated archiving, etc.

Addressing these data management concerns on your own terms is difficult enough; convincing Google, Amazon, and Box to play by your rules when they have their own agendas and, not to mention, thousands of other customers to satisfy—well, that’s a whole new ball game.

The promise of the cloud is really exciting, but there’s a long way to go after visibility.

Image credit: praweena

Get the latest security news in your inbox.