In today’s rapidly changing IT world, business users in your organization are going to seek the agility and increased capabilities of the cloud whether or not your IT operation sanctions it. So your efforts to provide IT security in the cloud need to start with embracing that fact and working to build secure practices from there.

In EMC’s Global Security Organization, we found that the best way to secure the cloud is to actually become a part of it rather than trying to fight it. As a part of the solution, you can build better, secure offerings that will allow you to protect your data and get a better experience for the user.

For the past nine months, GSO has been identifying shadow IT applications (or business-managed IT) in the cloud using a security monitoring appliance, RSA NetWitness, in conjunction with increased security analytics.  This gives us a comprehensive view of our network traffic, including shadow IT.  And rather than blocking those shadow users from continuing their cloud-based operations, we work with them to provide IT-controlled solutions that will still serve their business needs in a secure way.

The message we are striving to promote is one of helping as opposed to policing their efforts. We are giving users the same functionality, but with the ability to manage it and protect EMC’s data.

After all, IT security is no longer securing the perimeter of your IT environment to keep bad guys out and sensitive data in. Users are working in the cloud and accessing data from outside your organization’s walls, so IT security needs to shift its strategy away from setting standard internal system controls to building governance and insights to control access to the cloud based on user identity and authentication.

A gatekeeper, not a roadblock.

We need visibility into traffic and resources, and the ability to inspect the traffic, understand what it is, and put security policies around it. If it is sensitive data, you may want to block certain traffic. Or you can make sure those accessing sensitive data are doing so from IT-managed devices and that information is encrypted.

Our vision is to have a layered, risk-based approach to allowing access to cloud resources. The risk-based model we are developing is based on the following user criteria:

  • What device are you using?
  • Where are you coming from?
  • How are you getting here?
  • Where are you going?
  • What’s your history?

If a user would like to access publicly available data from their mobile device, access requirements will be minimal. However, if a user is seeking access from an unfamiliar location based on our data, we may want to step up authentication requirements to validate their credentials. When it comes to cloud security, one size doesn’t fit all.

With today’s advances in Big Data and analytics, we are also devising a process to use security analytics to review logs and traffic to determine the effectiveness of our security policies. Are we allowing too much traffic in some areas? Are we blocking too much traffic in others? Maybe we need to combine one policy with another to get better results.  We are currently evaluating policy changes using Big Data information.

Understanding your data

One of the first steps your organization needs to take in order to create a risk-based approach to securing cloud access is to understand your data. That means classifying your data in terms of sensitivity and establishing employee roles in regard to data access. You can then use classification to put controls in place around your data to establish access models.

Managing the lifecycle of user access is critical. We have a fully-integrated identity access management tool so we know when people change roles or when they leave the company and their identity has been removed from the network.

Setting up integrated authentication for accessing resources is one of the first things IT would do in launching a new IT project in the cloud. However, shadow IT users don’t necessarily take that step. They often set up various passwords and processes as they use non-IT cloud solutions. So one of the first things we look at when we begin working with business users to secure their shadow cloud operations is how we can integrate that identity into our management process.

It isn’t about trying to turn these applications off  and hampering business users, it’s about working with them to find best practices in managing their cloud—identity access management, governance, and access roles. For us, it’s creating the visibility into the cloud and helping them understand what’s going on.

We still have a long way to go.  But I feel better than I did last year when my only tool was blocking cloud applications. Whether we are dealing with private, hybrid or public clouds, we want to create a seamless experience for our users with an adaptive, but secure policies that protect our organization.

Steen Christensen

Steen Christensen

Director, Information Security, Global Services at EMC
Steen Christensen

Latest posts by Steen Christensen (see all)


No Comments

  1. Hello,
    Its really superb post. I learn something new and challenging on websites I stumbleupon on a daily basis. It will always be exciting to read content from other writers and practice a little something from their website and thank you for sharing your info. I really appreciate your efforts and I will be waiting for your further post thanks once again.


Leave a Comment

Comments are moderated. Dell EMC reserves the right to remove any content it deems inappropriate, including but not limited to spam, promotional and offensive comments.

Follow Dell EMC


Recent Tweets

You asked, we delivered. Our Future-Proof Storage Loyalty Program has expanded, thanks to your feedback. See the be… about 22 mins ago
RT @DellEMCServers: The PowerEdge R740xd has earned the first-ever @storagereview Editor's Choice award! Take an in-depth look at this pow… about 2 hours ago
All-Flash solutions are not created equal. @PrincipledTech evaluated VMAX and others in head-to-head tests of handl… about 6 hours ago