In the hyperconnected world that we live in, our apps, data and personal information are only a swipe away. But without the proper encryption and identity management tools in place, a hungry hacker can almost as easily swipe away that data.
Put simply, the threat landscape is far more treacherous than it was even a year ago. In 2013, CSA released “The Notorious Nine” – the nine most severe threats to cloud computing, with data breaches, account hijacking and shared technology issues at the top of the list – and we’ve seen these issues become very real in 2014. The recent problems we’ve seen with organizations like Target, P.F. Changs and Community Health Systems have forced many CIOs and CSOs to ask the question: what can we do to maintain control and security around critical company information?
We recently hit the road with Okta CSO David Baker, Box CEO Aaron Levie, Box Chief Trust Officer Justin Somaini, and SkyHigh CEO Rajiv Gupta to answer this very question, sharing security implementation best practices with CIOs in Philadelphia, Atlanta, Charlotte and Tampa -- and their discussion took an interesting turn towards the need for software companies to be transparent as they become the providers of security.
But First, A Little History
It’s no secret that applications that have long been held on-premises are being replaced by their cloud-based counterparts, which IT departments and employees choose (sometimes without permission) based on their ability to enable flexible, efficient and speedy workflows for their users – what we like to call user-centric IT. But as David Baker commented in the session, companies also relinquish the ability to control the security of their applications in adopting these external solutions. (We like to say we’re not just software-as-a-service companies – we’re security-as-a-service companies.) Companies like Okta, SkyHigh and Box, as well as the hundreds of other cloud vendors on the market, must take on that added role of security provider. That comes with being transparent in your approach and being open to (and expecting) a laundry list of questions from potential customers.
And for good reason. In moving to the cloud, enterprises don’t typically work with only one software company – they’re selecting best-of-breed solutions to comprise their IT strategies, often partnering with many different vendors to do so. (In fact, IT organizations speculate that there are 30-40 enterprise applications being used by employees in the cloud. But in reality, an average company’s employees access more than 750 cloud applications – and only 7 percent of those are enterprise-ready.) In choosing the right technologies for their organizations and determining which of these apps are most secure for enterprise adoption, a certain amount of due diligence must be done. (SkyHigh Networks recently launched its Enterprise CloudRisk Dashboard and CloudTrust ratings for this purpose, providing scores, benchmarks, trends and recommendations to improve an organization’s path to cloud adoption.) From identity management, content management, collaboration and more, IT now requires a multi-layered approach to secure their applications, identities and data.
Not All Vendors Are Created Equal
Let’s just say that not all vendors are created equal when it comes to transparency, and as such, companies need to do their homework, asking the right questions before they adopt new applications and services. David actually wrote a blog entitled, “Building Trust and Security Through Transparency of Service” on this very topic, touching on the importance of proactive communication, expectation setting and continuity in any cloud vendor relationship. It’s a great read for any IT leader looking to get a handle on what they need to be looking for in a cloud vendor – and top questions they need to ask.
Stay tuned for more contributions from him, both on the best practices that Okta infuses into its service, as well as “homework questions” customers need to be asking prospective vendors in the near term.
And if you’re keen to discuss the importance of transparency from a security and trust perspective face-to-face, you’re in luck. We still got a few more stops to make on our cross-country CISO Roadshow in 2014 – including stops in New York City, Dallas and Houston. More details coming soon!