In spite of the upsurge of interest in the public cloud and its applications in recent years, it came as no big surprise at a recent event I hosted that most Indian enterprises are still testing the waters.
The roundtable discussion on "Making A Public Cloud Private" looked at public cloud security pain points and the level of awareness around technologies such as cloud access security brokers to address these. The discussion included 19 security practitioners in Mumbai from across verticals like banking, infrastructure, insurance, manufacturing and telecom - seasoned veterans all. While a couple of years ago just talk of public cloud would have been a strict no-no, many now concede that public cloud application usage within the organization is an inevitability. The partner for this round table was Blue Coat. (Also See: Cloud Security's Next Evolution?)
Public cloud provider security is focused on the infrastructure layer and does not look at business-specific risk mitigation, which at the end of the day is unique to each organization, and their own responsibility.
The scalability and the multichannel nature of the business is one of the key drivers. Additionally, many organizations that missed the cloud bus in the past five years are approaching IT refresh cycles, and they have an acknowledged need to dump legacy IT infrastructure with its many thousands of servers. They happen to be considering cloud at a juncture where public cloud services are relatively mature, compared to the offerings available to early adopters in India.
Public Cloud: India's Stance
Developments such as the increasing use of "Shadow IT," outside the IT department's influence, mean that organizations today may not even have a clear idea of all the public cloud apps in use, let alone the risks this entails - an idea corroborated by my roundtable participants. Cloud usage is increasingly extending outside of the IT department today, with other business functions directly leveraging the enablement, productivity and economies of efficiency this brings.
However hurdles to public cloud popularity are still aplenty, and some big Indian organizations and early adopters still swear by their private and hybrid cloud infrastructures. Banking, for instance, is a vertical with a strong emphasis on data governance and residency, an issue that has only just begun to be addressed by the likes of AWS and Azure in the past year or so.
Visibility, accountability and a perceived lack of maturity when it comes to geography; specific needs like SLAs; and clear contractual liabilities all play truant. But the biggest challenge to the public cloud has been the inability to administer the environment and enforce policy, as within the organization's perimeter.
Organizations moving more and more workloads to the cloud are an inevitability. Gartner predicts that by 2018, organizations will have 51 percent of the app spending in the public cloud. It's a big business enabler, and it's here to stay - flexibility and economics being its biggest selling points. (Also See: Gartner's Lawrence Pingree: Security Focus Shifts to Detection)
And the lack of security assurance is also going to remain its biggest concern. While public cloud providers today provide more and more world-class security control, security here is focused on creating visibility on audits and certifications like SOC 2 and others focused on the infrastructure layer. (Also See: Cloud Security: Lessons Learned)
Security provided by public cloud services does not focus on business-specific risk mitigation, which, at the end of the day, is unique to each organization and their own responsibility. With "Shadow IT" - or the politically correct version, "Business Enabled IT" - increasing, ensuring compliance with the organization's security policies and risk mitigation practices in these cases is difficult.
This is where CASBs come in. CASB, a term Gartner coined in 2014, is a visibility and policy control point that sits between an organization and the public cloud.
Why is CASB Going to be Big?
CASB promises to get rid of the "Shadow IT" menace, and put the power back in the hands of IT when it comes to enforcing policy and ensuring compliance across the organization. However, awareness of CASB technology appears to be nascent in India, judging from the discussion. This is not to say that that CASB in itself is an unknown term - people seem to be aware of it as a buzzword and a concept - but its utility and implications for cloud security seem not all that well understood.
But Gartner is predicting that CASB market is going to grow apace to $500 million by 2017 from $100 million in 2015. And while awareness may still be low, India has all the right conditions that will make it a prime market. Consider the four pillars CASBs work around:
- Visibility: What apps users access and how often. How many are authorized, how many aren't, directly tackling the Shadow IT issue;
- Compliance: A chance to ensure your organization's public cloud app use is not in contravention of any internal or external compliance regimes;
- Threat Prevention: This piece looks at authorization and access control - internal user vs. malicious outsider;
- Data Security: Viz. encryption, tokenization and DLP, which gives the ability to ensure that your IPR, PII & PCI, and other critical information in the public cloud remains secure, and you have the key.
This sounds like a sweet deal. Even at our discussion, practitioners were intrigued, and to many the concept and function - while new - seem a great fit. As emerging markets such as India/Asia accelerate cloud adoption, and attendant security issues demand more attention, CASBs seem to be appropriately positioned to keep the digital transformation ball rolling.
The need is clear and present. Whether India's security leaders can put CASBs to good use, remains to be seen.