Letting your users go rogue in the cloud

Cloud computing is ubiquitous in many enterprises today, and dealing with cloud security is a challenge, particularly when users do not adhere to IT policy. Panelists at RSA Conference 2014, who hailed from various industries, debated the best ways to harness the benefits of the cloud while balancing the risks. An overarching theme centered around how utilizing the right applications can enhance the risk management process.

Senior VP and CIO of Universal Music Group Arthur Lessard confessed to being excited about the cloud and acknowledged the limits of restricting services in the name of security. “We’re an entertainment company, not one that deals in financial services or pharmaceuticals. If I block services, users will find other ways to use these same services, such as going to Starbucks.”

Lessard instead called for vendors to provide applications that can provide better visibility into how well security services are performing when functioning in a cloud environment. The issue centers around protecting our users, no matter where they happen to be, Lessard said.

VP of IT operations at NetFlix Mike Kail similarly supported the call for applications that provide enhanced visibility. NetFlix is a firm supporter of the cloud and is currently deploying SaaS and other cloud applications. “With social and mobile gaining traction among users, there’s no longer the notion of what’s internal or external,” shared Kail. “The challenge now is around how we can provide secondary and contextual awareness, in light of all that’s going on. How can we obtain audit logs of all activity, while providing our users with the same experience no matter where they happen to be working at?”

Dealing with policy

Users have been going rogue since the first PC was built, stated chief of enterprise architecture, business innovation and emerging technologies at The Coca-Cola Company Alan Boehme. “With tablets and phones now entering the enterprise, it just doesn’t make sense to build castle walls any higher, as people are constantly attacking them.”

The current challenge lies in conducting business in a secure manner, Boehme continued, adding traditional security tools designed for early systems are hardly effective in today’s context. Boehme also acknowledged that one-size fits all does not work when contemplating cloud solutions and security on a global scale. The Coca-Cola Company does business in all countries worldwide except for North Korea and Cuba.

“It wouldn’t work for a CRM vendor to charge $60 per seat in countries like Vietnam or Cambodia,” said Boehme. “IT will end up looking for local cloud solutions instead.”

 “Controlling where your users go within a corporate network, and restricting access to applications such as Facebook is ridiculous when everyone has a smartphone,” said Lessard. “The focus now is protecting company data no matter how and where people want to use it.”

Times are changing and gone are the days where the IT department sends emails restricting users, panelists agreed.

Lessard confessed to not being a fan of issuing lengthy IT policies. “We’ve moved away from the days when IT policy was 70 pages long and nobody ever read it,” said Lessard. “We’re in the education phase today, advising users on how they’re supposed to interact with cloud storage and have a standard around how content is to be moved around.”

Lessard is aiming to progress to the compliance monitoring phrase, with visibility into which users are violating policy. “We need to know what people are storing in the cloud and there are very specific issues around what they can or cannot do.”

Having greater visibility would be highly beneficial to the company, Lessard added. “It can help us understand what users are trying to do and enable us to advise them on a better way to do it that does not compromise security.”

Do not prohibit or restrict the users, advised Kail, adding that having IT policy in place might only upset users. “Instead, make sure you know where the data is and think about how to analyze it.”

Allow is the new block

The inevitable shift to mobile and the cloud has left IT departments working on integrating various applications and making them compatible with the mobile platform, shared Boehme, who called for vendors to play a more active role in releasing products to address this need.

The Coca-Cola Company is moving toward BYOD but is facing security issues with the various operating systems out there, Boehme shared. “Mobile device management is dead and I would never let mobile device management go on a personal phone.”

Both Netflix and The Universal Music Group have, however, taken BYOD in their strides.

Netflix has no BYOD policy, Kail shared.  Netflix staff will be issued with a device if they want one, and are also free to bring their own devices, which will be put on the company’s platform. Similarly, Universal Music Group allows for both BYOD and a company-assigned device.

“IT’s new role is to understand cloud applications and how the APIs work with each other to communicate with other cloud applications,” said Kail. “Inspect, allow and educate. IT should always provider users with a context as to why something is bad.”