As recently as 12 months ago, IT personnel would talk about security being a salient concern about going to the cloud. Just yesterday Dark Reading released another such report that packages the same concerns with fresher statistics (http://ubm.io/1qlMVgJ). There has been a bit of cottage industry that grew up to feed those sentiments – block the apps you can’t control, put ACLs on your FW/proxies to block domain/URLs – broad bushed to connote apps – and you’ll be secure, and other such misinformation. There have been colorful terms used to explain the reality that cloud is being adopted in a big way – any concerns notwithstanding.
As I meet more and more prospects, the nature of conversations has changed in an unmistakable manner. Even the most straightjacketed of enterprises want to take advantage of the cloud. I met with a panel of CISOs across various industries and it was unmistakable that enterprise security architecture is evolving to be about enabling the safe use of a collection of services instead of it being a diktat of how to secure an application after the fact. Given the elevated sense of urgency around security these days, some CISOs have been able put paper workflows together such that their legal/procurement departments would ask the security team before sanctioning apps that come through the ‘front door’. However, when these requests do come in, CISOs better be able to give an informed answer to those queries in a timely manner. You miss a beat a couple of times, and you might as well cast this workflow aside since it’s getting in the way of the business.
Just to pick one example from my meetings from last week, a customer had earlier gone the often heard path of blocking Dropbox, simply because it was perceived as a consumer application and hence assumed to be not safe. That in of itself is an un-informed conclusion. Within a space of one day, they started getting requests for exceptions – not all of them polite. Without the benefit of making such a decision on actual data of their own environment, they were inadvertently breaking business processes. A few days into this confusion, yes – they did have a policy to block Dropbox, but no, they didn’t quite have the expected outcome. Dropbox is still their most often-used storage app — for good reason. And they are back to square one in terms of safely enabling Dropbox and other cloud-resourced apps for their entire use population whether they are at their office locations or working while not within the four walls of the offices.
As we walked this prospect, and now a customer, through our philosophy of making data driven decisions, there was a palpable sense that effective solutions do exist to solve their problem. To start off with complete visibility of the apps being used and have the ability to influence the usage of an app in a nuanced manner – not block Dropbox, but inform end users when they share a document that contains sensitive information outside of the core group, and not allow upload of snippets of production source code.
The ironic thing is that the folks who used the blunt tool of ‘block/allow’ of URLs/IPs are the ones that appreciate the more fine-grained approach the best. Getting a report of apps being ‘used’ with a bits & bytes being exchanged within their office network is quickly becoming just ‘busy work’ for them. With the right solution in place from Netskope, they are becoming the enablers in their organizations.
As one of the bellwether CISOs at this event said: “Netskope is a company that is actually solving a real problem we have in our company.” I couldn’t have said it better than that.