Growing numbers of information security executives are learning just how expansive their organizations' use of cloud computing are. And let's just say the findings are often shocking.
With many companies unknowingly using thousands of cloud services, it's no wonder they're turning in larger numbers to cloud access security brokers. CASBs, as they're referred to, are essentially security enforcement points placed between users and clouds that apply a company's security policies to data being exchanged with those clouds. They also can provide valuable statistical profiles of a company's cloud usage.
The rising need for such capabilities drew hundreds of RSA Conference attendees Tuesday to a panel discussion of early adopters of CASBs sharing their experiences. In fact, the panel moderator, Neil MacDonald, a VP and distinguished analyst at Gartner, took an informal poll of the audience and estimated that fewer than 20 percent had already deployed a CASB, while nearly 40 percent planned to do so this year.
Many of the newbies will soon relate to panelist Alissa Johnson, CISO of medical device maker Stryker Corp.
Johnson, who is the first CISO in the company's 70-year-plus history, went against her instinct and deployed a CASB, ultimately confirming that the company was using more than 2,000 cloud services.
After her initial surprise that there were that many cloud providers in existence, Johnson was able to use the information to help her cause.
"I was trying to tell a story [to Stryker's board of directors], and it wasn't a hard sell," she said. "Once I said we have more than 2,000 cloud services being used, the next statement I got was, 'how much do you need to fix this?'"
MacDonald, who coined the CASB terminology, said that Johnson's story was a perfect illustration of the degree to which companies that don't have CASBs deployed are operating in the dark. CASB technology shines a light on cloud usage so that organizations can better assess their risk.
"You can't secure what you can't see," MacDonald said.
And it's not just being unable to secure; it's being unable to even understand how a company's actions may be threatening valuable data.
"You can't have a reasonable risk conversation if you're not taking some sort of measurement," said Richard Puckett, CISO of General Electric. "For instance, is [having] 75,000 people using Evernote a risk to the enterprise?"
Jerry Archer, senior VP and chief security officer for Sallie Mae, wasn't looking to get either risk analysis or a cloud service inventory, although he admitted that there would be thousands of cloud providers on the list. Instead, he wanted to make sure that Sallie Mae's stringent security policies were being applied, and that the organization wasn't relying on providers' security.
That meant not letting any of Sallie Mae's providers ever have access to its keys, and having its CASB encrypt data before it moves to the cloud.
Similarly, Gerard Brady, global CISO for Morgan Stanley, said he and his team are working on ensuring that everything they store in Box is encrypted first, and that only they have the keys.
Another thing that the visibility provided by a CASB enables is the ability to create comprehensive lists of approved—and unapproved—cloud services. How that information is used varies from one company to another.
For instance, because it's new to CASBs, and to having a CISO, Stryker takes a soft-handed approach to guiding users to preferred cloud providers.
"We have a pop-up box that comes up when people use non-approved services, warning them that they should consider switching because that service will be blocked," said Johnson.
Meanwhile, Sallie Mae has a policy that prevents anyone from using an unapproved cloud app to extricate information. If someone happens to do just that, and Archer and his team discover through investigation that it was done willfully, the employee in question can be fired.
"We try to catch stupid anywhere we can," said Archer.
Where all of the panelists' thinking was identical was in assessing the potential benefits of CASB technology to RSA attendees. That's probably because they all know from experience than in every case, cloud use is much more widespread than most security leaders realize.
Said Puckett: "Anyone who thinks they have control of this should think again."