Cloud services provide many benefits including the flexibility to meet changing levels of demand and the agility to deliver new business applications more rapidly. However, many organizations now have a hybrid IT environment where some IT services are delivered on premise, some are delivered through the cloud, and some involve both on premise and cloud. In addition, organizations in most industry sectors need to securely share information with their extended supply chain and partners. These factors create significant challenges around information security and regulatory compliance. For example, some common concerns are:
- The geographic location where the data is held and processed and the accessibility of this data by unauthorised actors.
- Government Access - The way in which governments can legally require access to the data being processed without the permission of the cloud customer being sought. The recent revelations around access to Yahoo emails by the US government is an example.[^1]
- Theft of Intellectual Property – sharing information through publicly available services potentially exposes it to unauthorized access.
- GDPR - The European General Data Protection Regulation (GDPR) coming into force in May 2018 is another challenge for organizations holding personal data relating to people in Europe.
In order to meet these challenges, organizations need to take a governance led approach. This needs technology support to give visibility to, and to enforce controls that are consistent across the whole of this hybrid environment. There is a range of products on the market that are intended to cover these needs. The most recent of which can be categorized under the heading of Cloud Access Security Brokers (CASBs). These products provide functionality which overlaps several areas including:
- Detect Cloud Service Usage– the use of cloud services which have not been subject to an organizational assessment of the compliance risks and data protection requirements is a common concern for many organizations.
- Control Usage of Cloud Services– access to the cloud services should be controlled so that business critical and regulated data can only be moved into approved cloud services.
- Protect Data – help to classify sensitive data, control where it can be stored and who can access it. This is sometimes achieved by integration with specialized Data Leak Prevention (DLP) products or Information Rights Management products.
- Protect against Cyber Risks– provide capabilities to detect threats to business-critical data and protect against unauthorized access and data leakage.
- Support Compliance - provide “out of the box” capabilities aligned with relevant regulations.
However most of the CASB products focus only on the cloud delivery model while what is needed are tools that cover the spectrum of IT service delivery models. This means taking an information centric approach to governance and security irrespective of where the data is stored or what IT technology is used.