The easy availability of cloud services together with the revolution in the range of devices that are used to access these services has created challenges for organizations in the areas of security and compliance. Employees and associates can use their personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing a risk assessment or considering the impact of these on compliance. To compound the problem, mobile devices can be used to access these services from outside of the organizational perimeter.
The specific concerns of organizations using cloud services, and in particular Software as a Service, include:
- The geographic location where the data is held and processed and the accessibility of this data by the Cloud Service Provider (CSP) and their staff.
- Government Access - The way in which governments can legally require access to the data being processed without the permission of the cloud customer being sought. The recent revelations around access to Yahoo emails by the US government[^1] is an example.
- GDPR - The European General Data Protection Regulation (GDPR) coming into force in May 2018 is another challenge where organizations holding personal data need be able to prove compliance that the data has only been used for the agreed purposes.
In order help organizations to meet these challenges there are now a variety of products on the market. These have been loosely categorized under the heading of Cloud Access Security Brokers (CASBs). These products provide functionality which overlaps several areas including:
- Storage encryption – that provide whole disk, volume or file level encryption of data.
- Rights Management – that provide granular access control over access to unstructured files.
- Data Leakage Prevention – that provide discovery and control over the sharing, transmission and storage in the cloud of specific classes of data.
- Access Brokers and Gateways – that discover what cloud services are being accessed and provide control over who can access cloud services and the functions that they can perform.
One specific area of concern is the protection of data held in office productivity tools such as Office 356, Google Apps etc. These tools and email are used to hold and exchange data across the whole spectrum of an organization’s activities, from the boardroom to the shop floor. It is imperative that organizations take steps to protect this data against leakage and unauthorized disclosure to protect their operations and ensure compliance. KuppingerCole recommends that data held in cloud services should be encrypted in a way that is under the control of the customer.