The easy availability of cloud services together with the revolution in the range of devices that can be used to access these services has created challenges for organizations in the areas of security and compliance. Employees and associates can use their own personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing a risk assessment or considering the impact of these services on compliance. Some specific examples of the concerns that organizations have include:
- The geographic location where the customer’s data is held and processed and the potential for the Cloud Service Provider (CSP) and their staff to access this data.
- Government Access - The way in which governments can legally require access to the data being processed without seeking the permission of the cloud customer. The recent revelations around access to Yahoo emails by the US government[^1] is an example.
- GDPR - The European General Data Protection Regulation (GDPR) coming into force in May 2018 is another challenge for organizations holding personal data relating to people in Europe.
To meet these challenges, organizations need to take a governance led approach to the use of cloud services. However, this approach needs technology support to give visibility and to enforce controls. There are now products on the market providing this support. These are loosely categorized under the heading of Cloud Access Security Brokers (CASBs). KuppingerCole has analysed this market segment and recommends that these products should provide functionality that enables customers to:
- Detect Cloud Service Usage– the use of cloud services which have not been subject to an organizational assessment of the compliance risks and data protection requirements is a common concern for many organizations. Identifying the cloud services being used from within an organization and providing control over their use is a key capability to manage this risk.
- Control Usage of Cloud Services– access to the cloud services should be controlled so that business critical and regulated data can only be moved into approved cloud services. Employees should easily be able to access approved services and prevented from moving important data to non-approved services. The access controls should be based on existing organizational directories and should provide seamless access to approved services.
- Protect against Cyber Risks– there are different ways in which there could be unauthorized access to a customer’s data held in the service. A product should provide capabilities to detect threats to business-critical data and protect against unauthorized access and data leakage.
- Support Compliance - many organizations depend upon their data being processed and protected in a way that is compliant with laws and regulations. To support this need, the product should provide “out of the box” capabilities aligned with specific regulations. Ideally these capabilities should be independently certified or, at least, the vendor should be able to provide examples of customers who have successfully used the product to achieve compliance.
CASBs provide a valuable tool for organizations to improve the governance over their usage of cloud services. However, it is important for a customer using these products to understand their specific requirements and select products that match these.