What’s Next in Cloud Security - Salesforce.com€¦ · ant by 55% of survey respondents and a...

©COPYRIGHT 2016 451 RESEARCH. ALL RIGHTS RESERVED.

What’s Next in Cloud Security:Current State, Trends and Investment Plans for Advancing Cloud SecurityA P R I L 20 1 6

B L AC K & W H I T E PA P E R

A R E P O RT O N R ES E A R C H CO M M I SS I O N E D BY

2COMMISSIONED BY SALESFORCE

NEW YORK20 West 37th Street New York, NY 10018 +1 212 505 3030

SAN FRANCISCO140 Geary Street San Francisco, CA 94108 +1 415 989 1555

LONDONPaxton House 30, Artillery Lane London, E1 7LS, UK +44 (0) 207 426 1050

BOSTONOne Liberty Square Boston, MA 02109 +1 617 598 7200

About 451 Research451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.

© 2016 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publi-cation, in whole or in part, in any form without prior written permission is forbidden. The terms of use regarding distribution, both internally and externally, shall be governed by the terms laid out in your Service Agreement with 451 Research and/or its Affiliates. The information contained herein has been obtained from sources be-lieved to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or services and their research should not be construed or used as such.451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

About this paperA Black & White paper is a study based on primary research survey data which assesses the market dynamics of a key enterprise technology segment through the lens of the ‘on the ground’ experience and opinions of real practitioners — what they are doing, and why they are doing it.

BLACK & WHITE PAPER | W H AT ’S N E XT I N C LO U D S ECU R I T Y: CU R R E N T STAT E , T R E N DS A N D I N V EST M E N T P L A N S FO R A DVA N C I N G C LO U D S ECU R I T Y


OV E RV I E W

What you will learn from this report1. Compliance is not enough: moving toward a prevention model

for cloud app security2. Cloud data access monitoring anxieties: risk management takes

center stage3. Putting your money where your risk is: 2016 investment outlook

increases focus on monitoring and analytics to drive prevention



Executive SummaryAdoption of cloud applications is at an inflection point. In North America, enterprise use has not only broadened to include at least half of an enterprise’s applications (in the UK, France and Germany at least one-quarter of enterprise applications are consumed as a cloud service) but cloud application use has also deepened to encompass more critical business processes. As in the first phase of adoption, compliance and security loom large in the next phase, but the challenge has expanded to sensitive, regulated and proprietary data.

Although many of the same tools will be in play in the next phase, managing access risk is coming to the fore and spurring investments in monitoring and reporting, as well as data classification and da-ta-loss prevention. This is one of the conclusions of a comprehensive survey of more than 250 senior information security professionals conducted by 451 Research in North America, the UK, France and Germany. As enterprises evaluate how to move more sensitive data to the cloud application provider’s environment, the growing emphasis is on understanding data usage in context, and taking a proactive approach to potential risks of data usage and access patterns based on real-time events in order to better operationalize prevention.

This emphasis on a prevention-centric model supported by analytics and risk modeling is consistent with broader information security trends – and especially facilitated by cloud application architecture and APIs. With the right set of analytics in place that consume granular, field-level events and metadata in real time, security professionals may have a far greater ability to detect anomalous activity and mit-igate risk through access controls, user behavior intervention and extensible policies in the cloud than they have for legacy, on-premises applications.

The implications are profound for both cloud application use and security models: compliance no lon-ger trumps security, and risk concerns don’t center only on who is accessing data, but also what data and how. As a result of increased investment in security, 69% of 451 survey respondents plan to move workflows that use regulated data into the cloud – respondents in France lead the pack followed by the US, Germany and the UK. Data security, monitoring and user-activity logging now lead those invest-ment plans for this year, up significantly from current investment levels. Spending intentions in these categories have now drawn even with planned investment in the tools that facilitated the first phase of adoption: identity and access management and encryption of data at rest.

Despite the high level of interest in moving regulated data to the cloud this year, internal opposition to moving sensitive data and workloads to cloud application environments persists. For some North Amer-ican organizations, data-residency issues introduced by the EU-US Privacy Shield have emerged as a challenge. The onus is on both security professionals and platform providers to demonstrate that the level of monitoring and visibility into data access in the cloud trumps on-premises tools in supporting the transition toward a risk-led prevention model.



Key TakeawaysCloud applications are no longer a ‘maybe’ but a foregone conclusion for the vast majority of respon-dents. With 69% of survey respondents indicating 2016 plans to move more regulated data into the cloud based on increased investment, the focus is now shifting from meeting compliance to managing risk to sensitive data, including detecting breaches through end-user-activity monitoring. UK respon-dents are generally more cautious and also see greater need for end-user access, encryption of data at rest and clear separation of duties for IT administrators.

The heightened concern about not only who has access to sensitive data but also how sensitive data is accessed is driving planned security investment in monitoring, analytics and encryption, especially platform-native encryption.

The major challenges that have emerged for migrating more regulated data into the cloud reflect a broader shift by security professionals toward risk containment and proactive response to potential breaches, with the capability to detect and remediate suspicious access to data viewed as very import-ant by 55% of survey respondents and a critical requirement by another 20%. Existing on-premises tools for data classification and access monitoring meet cloud needs for only one-fifth of respondents.

As needs become more sophisticated, customers want options, customization and flexibility via APIs – not a ‘one size fits all’ offering. Roughly 84% of respondents see the lack of extensible security and gov-ernance tools that are easily integrated via APIs to be a hurdle to broader cloud application adoption.

Even as internal opposition continues to figure prominently as a challenge to expanding use of cloud applications (especially outside of North America), CISOs and security professionals have their own rea-sons for not moving sensitive data to the cloud – with data-residency concerns especially pronounced outside of North America. The need for real-time monitoring of data activity and the complexity of current security offerings are the most prevalent reasons across all regions.

North America continues to lead in adoption of cloud applications in general, followed by the UK. How-ever, the number of respondents in the UK and Germany with more of than one-quarter of their appli-cation estates consisting of cloud apps is growing fast. General mistrust of cloud applications remains highest in France.



Recommendations Summary

Avoid a ‘one size fits all’ approachCISOs are not going to be satisfied with a general approach to their specific needs: platform pro-viders will need to go deeper in terms of their native capabilities, while third-party tools will need to go wider to provide analytics and monitoring across the cloud application estate.

Test, test and test againTesting should be implemented to evaluate whether policy violations can be flagged with a high degree of certainty. False positives are equally damaging because they undermine user confi-dence in security tools and prompt workarounds.

Put internal stakeholders at ease but avoid complacencyJust because users can be more secure in the cloud doesn’t mean that they will be without the right processes and risk mitigation workflows in place.

Balance risk mitigation with ease of user accessRisk-mitigation processes should be facilitated through planned investment in analytics and moni-toring, but security teams need to find the happy medium between control and efficient business processes.

Leverage the power of field-level data and metadataThe onus is on customers to invest in the development of policies that leverage all the granu-lar information and insights from field-level events and metadata, and build out workflows that incorporate risk assessment – but without turning enforcement into a sledgehammer instead of a gentle nudge.



IntroductionCloud applications are here to stay. The question that many are wrestling with now is not ‘maybe’ but how much and how soon. Clear regional differences come into play that also define the starting point; UK adoption is higher than France and Germany but still lower than North America. At the crux of these questions lies protection of data and managing the risk of more sensitive data finding their way to cloud applications. In the initial phase of adoption, enterprises pointed to compli-ance and security as the primary reasons for not moving sensitive data to the cloud application provider’s environments. Now, the question enterprises must contend with is: How do I secure and monitor my data now that it is stored in the cloud? This mirrors a broader information security trend toward improved prevention capabilities supported by advances in mon-itoring and analytics to deliver a risk-centric approach.That’s not to say that compliance has completely receded, but cloud application providers themselves and third-party tool vendors have done the necessary legwork to address many of the compliance requirements on both sides of the shared-re-sponsibility equation. Instead, what it means is that compliance no longer trumps security, and the focus is now ramping up risk containment through data access monitoring and usage analytics.When we surveyed stakeholders two years ago, we were confronted by what appeared to be contradictory results: respon-dents reported that security was the number one concern with cloud use and data migration, but respondents also report-ed that security concerns had not slowed adoption. After investigating, we found the explanation was that workloads being put into the cloud were non-critical workloads or workloads handling non-sensitive data.That seems to have changed. In this study, we found that while only 44% of respondents currently have half of their applica-tions with sensitive data in the cloud, about 69% plan to move more workflows that use personally identifiable information (PII) and protected health information (PHI) into the cloud based on planned increases in security investments. What they are looking to resolve is which security investments are involved to enable that migration with more sophisticated require-ments, including threat detection, monitoring and analytics-driven flagging of inappropriate data access. These concerns are especially pronounced for UK-based organizations and are becoming more urgent in North America. For all the hand wringing over shadow IT (and lingering internal opposition to cloud applications on account of negative security and compliance perceptions that persist as concerns), roughly 89% of survey respondents have adopted strategies to embrace cloud applications. They have done so by using a comprehensive set of compliance benchmarks, cloud pro-vider certifications and risk-evaluation metrics. Broad and deep adoption has spurred organizations to view securing and governing cloud applications as strategic if not critical. And governing access to data looms large as applications and the regulated customer and private data that underpin critical business processes migrate outside of the firewall.Users continue to address these concerns through existing approaches, notably data encryption at rest – which figures into 42% of 2016 spending plans – and identity access management at 43% of spending intentions. As enterprises look toward a prevention posture that will enable them to understand risk and threats to data, they are focused on how to take a proac-tive stance to remediating and identifying anomalous or suspicious end-user activity. The transition toward a proactive stance and emphasis on prevention is reflected in planned investments in monitoring and reporting, user activity, and audit and data classification with regard to investment plans (at 43%, 44% and 48%, re-spectively). To provide some context for the size of the shift: monitoring accounts for 13.2% of current investments in cloud application security tools. The extent of the shift brings home how protection of data already in the cloud looms large for CISOs and security professionals, even as internal opposition to moving regulated data to the cloud persists as a challenge. Equally, the capability to detect and remediate suspicious access to data is viewed as very important by 55% of survey respondents and a critical requirement by another 20%. Almost one-third of UK-based organizations identified detection and remediation of suspicious access as a critical requirement. Existing on-premises tools for data classification and access monitoring meet cloud needs for only one-fifth of respondents.This means that enterprises want to be able to consume events in real time but also implement an approach that is specific to their requirements. A ‘one size fits all’ approach is unlikely – close to 71% indicated that their security needs are more complex than the current set of platform and third-party tools can address. This trend further accentuates that risk manage-ment has come to the fore, since most enterprises want to be in the position to define their own risk profiles and appetites. It will be necessary to address an API-driven approach that fosters a healthy ecosystem and enhancements by the cloud application providers themselves to meet these specific and unique requirements.



Compliance is Not Enough: Moving Toward a Prevention Model for Cloud App SecurityFO CU S I S I N T E N S I F Y I N G O N M A N AG I N G R I S KS TO S E N S I T I V E DATA I N C LO U D A P PS, W I T H CO M P L I A N C EOur survey investigated the extent to which enterprises in North America, the UK, France and Germany are focused on the migration of sensitive data to cloud applications, and the implications for their security strategies. In approaching our anal-ysis, we set out with the assumption that a clear distinction has emerged among enterprises shifting toward cloud applica-tions between meeting compliance requirements and mitigating risk through compliance failure and breach prevention.The rationale for this assumption has two facets: first, as cloud application adoption becomes less tactical and more strate-gic, attention shifts from considerations of whether data should be stored in a third-party environment and whether cloud service providers can be trusted to hold up their end of the compliance bargain to how best data should be governed and secured from a wider range of threats (or inadvertent exposure through user error). Second, the greater emphasis on risk management is the outcome of a broader normalization trend, where compliance has rightly returned to a subset of secu-rity concerns that are largely addressed through general common sense security efforts.The survey data has borne out this assumption (as illustrated in Figures 1 and 2), with some clear indications emerging of what enterprises view as the necessary steps toward a sustainable risk-containment approach, especially in terms of access monitoring and data-usage analytics. Compliance considerations, especially in the context of data-residency concerns, have by no means receded into the distance. While some regional differences emerged – such as a greater emphasis on cloud provider compliance certifications in France, less emphasis on access control for German respondents and more concern from UK-based organizations about encryption of data at rest – the most prevalent operational and compliance hurdles are largely consistent.

Figure 1: Of those operational and compliance challenges that you have identified, what are the top 2 challenges that are most critical to address to encourage broader adoption of cloud applications and enable hybrid cloud security adoption?

GermanyFranceUKUS/Canada

Cloud provider ability to satisfy compliance requirements and certifications

Internal stakeholders’ negative perceptions of cloud security and compliance

Insufficient controls available for cloud data to meet internal policies and guidance

Ensuring that regulated, proprietary or private data is encrypted at rest at the service prvider, with centralized

management of encryption keys

Maintaining consistent access security and authorization controls for cloud applications, including authentication

and authorization

Logging, auditing and reporting for compliance for all cloud access usage and all data stored and processed at

the cloud provider

Limited ability to meet data residency requirements for cloud services accessed by users from multiple

jurisdictions

Inadequate level of visibility into application activity, including changes at the field level, that may be outside of

policy or violate compliance requirements

0% 10% 20% 30% 40% 50% 60% 70%



However, as organizations take a more structured approach to moving critical business processes and sensitive data into the cloud application provider’s environment, prevention of data misuse and loss escalates in importance. By and large, managing access to sensitive data and ensuring that the data is encrypted while stored in a third-party environment remain the most significant protection concerns and challenges. Spending intentions suggest that organizations are more likely to opt for native platform tools over third-party tools for these functionality sets. It is clear, however, that encryption of data at rest and access controls are absolute prerequisites for broader adoption of cloud applications – and especially for applications that store PII, PHI and other categories of sensitive data. When respondents were asked to rank the top two security and risk management challenges, these tools remained important considerations, and a new set of requirements came into scope: a focus on who has access to sensitive data (including users and administrators) and what actions they are taking. However, one-third of respondents based in France identified internal stakeholders’ negative perceptions of security risks and need for mitigating control as a significant hurdle to adoption, while less than one-tenth of UK-based respondents pointed to negative internal perceptions as an issue. These responses point to security professionals looking beyond compliance requirements –even for sensitive data – to en-sure that they are managing the risk of not only employing cloud applications to store sensitive data, but also access to the data using data classification. As we explore in the next section, on-premises tools for data leakage and data classification are only partially sufficient responses for many.Likewise, addressing compliance requirements is effectively a prerequisite for moving any regulated data to a cloud appli-cation provider’s environment. And compliance requirements fall on both sides of the shared-responsibility equation. For example, it’s practically impossible for a customer to be deemed in compliance for protection of PHI if the cloud application provider has not provided a HIPAA business affiliate agreement. But as cloud application providers demonstrate a track record for meeting compliance requirements in the context of the cloud service shared responsibility, that is no longer the primary concern.



Figure 2 : Of those security and risk management challenges that you have identified, what are the top 2 challenges that are most critical to address to encourage broader adoption of cloud applications and enable hybrid cloud security adoption?

Ongoing internal security programs designed to detect anomalous activity and identify security breaches in a timely fashion

Internal stakeholders’ negative perceptions of security risks, and need for mitigating controls

Ensuring that regulated, proprietary or private data is encrypted at rest at the service provider, with centralized

management of encryption keys

Separation of duties for encryption keys, IT administrators and line of business managers

Maintaining consistent access security and authorization controls for cloud applications,

including authentication and authorization

Inadequate tools to monitor and report on user activity and data usage in cloud provider environment - who touches what, when

Maintaining a real-time view into the state of data stored and processed by the cloud service

Real-time security policies to manage and mitigate risk of suspicious user behavior

Inadequate level of visibility into application activity, including changes by users or administrators at the field level, that may be

outside of policy or violate compliance requirements

Lack of comprehensive native data classification capabilities and ability to detect changes to data state on a real-time basis

Ability to integrate real-time data feeds via APIs into existing security programs, including analytics engines

and machine-learning technologies

Ability to integrate with on-premises enforcement tools and policy stores


0% 10% 20% 30% 40%

State of Cloud App Adoption: No Longer Peripheral, But Not Yet UniversalWe set out first to assess the current level of penetration of cloud applications as a category, and determine relative levels of confidence in moving sensitive data to the cloud in order to establish a baseline for our analysis. The initial conclusion is that cloud applications are here to stay, and they are in the process of moving from the periphery of the IT estate for a few isolated business processes. Still, without a baseline, it’s difficult to clearly map out the adoption trajectory and identify where security and compliance now feature in the picture.In tandem with the higher penetration of cloud apps (see Figure 3), a growing proportion of cloud applications now pro-cess and store sensitive data that is subject to compliance mandates or regulatory requirements (see Figure 4). This points to another trend: not only is the proportion changing, but use of cloud applications is becoming more deeply entrenched.



Figure 3: What is the current proportion of your overall application estate that is composed of cloud application services such as Salesforce or Concur?

Less than 5%

5% - 9%

10% - 24%

25% - 49%

50% - 74%

75% - 89%

90% -100% - Almost entirely cloud applications

0% 5% 10% 15% 20% 25% 30% 35% 40%


While the general trend is toward greater cloud application use and moving more sensitive data to the cloud, there is plen-ty of variation around the mean. For example, there is a wide distribution between those respondents for whom almost all cloud applications in use are subject to compliance or regulation (at about 7%), and those for whom almost none are (at just under 4%). For the remainder of respondents, the largest group (at close 32%) reported that half to three-quarters of their cloud applications are subject to compliance or regulatory requirements of some form. This trend is more pronounced in North America than in the UK, France and Germany, where a smaller proportion of respondents indicated that more than half of their cloud applications are subject to cloud mandates. Despite the relative distribution of adoption of cloud applications that are within the scope of compliance, most respon-dents have a clear idea of what tools need to be in place to facilitate the migration of sensitive data – in tandem with ongo-ing commitments by cloud service providers to meet those compliance requirements. This trend is exemplified by the shift in investment priorities toward event monitoring and analytics (as discussed in Section 3) to facilitate migration of sensitive data to cloud applications.



Figure 4: What proportion of your current cloud applications in use are within the scope of compliance mandates or subject to regulatory requirements?

US/Canada

UK

France

Germany

< 5% 5-9% 10-24% 25-49% 50-74% 75-90% 90-100%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

When we drilled down to another degree of detail on what percentage of those applications subject to compliance man-dates and regulatory requirements store sensitive data such as PII and PHI, the majority of respondents were clustered in the middle. About 29% of survey respondents indicated that 50-74% of these cloud applications stored PII and PHI.

Figure 5: Of these applications, what percentage store sensitive, regulated data such as personally iden-tifiable information (PII) or personal health information (PHI)?

US/Canada

UK

France

Germany

< 5% 5-9% 10-24% 25-49% 50-74% 75-90% 90-100%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Sensitive Data in the Cloud: It’s A Question of DegreeThe conclusion we draw from this survey is that just as cloud application adoption is at an inflection point, the level of comfort and confidence is one step behind. Also, organizations in North America are one step ahead of those in the UK, which are, in turn, one step ahead of those in Germany, followed by France. Our data shows that for about 54% of survey participants, at least half of their cloud applications are subject to compliance mandates or regulatory requirements. How-ever, once we factored in the question of what percentage of those applications store PII and PHI (as a proxy for the broader category of sensitive data), 44% indicated that more than half of their cloud applications contain sensitive data, with signif-icant regional variations: North America again showed greater adoption than the UK, Germany and France.



There is no single reason to explain that discrepancy. In fact, survey results suggest a wide range of reasons, including emerging data-residency concerns fueled by the introduction of revised Safe Harbor provisions under the Privacy Shield agreement, internal opposition to moving data to cloud applications and the perception of the maturity of tools to detect suspicious end-user access activity. However, as we discuss below, the trend is to move more sensitive data, including regulated, proprietary and customer data into cloud applications – with 69% of respondents indicating that they plan to move more workflows that use PII and PHI data into the cloud as a result of increased investment in security – with respondents in France leading the pack followed by the US, Germany and the UK. What the data suggests is that while there is a broader level of comfort with the ability of cloud application providers to meet regulatory and compliance requirements for sensitive data stored in the cloud, protection of data in the cloud now encompasses risk management and mitigation.

Figure 6: Do you plan to move more workflows that use PII and PHI data into the cloud as a result of in-creased investment in security?

Yes No Don’t Know

US/Canada

UK

France

Germany

Total

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

7%

15%

6%

8%

18%

33%

20%

27%

75%

52%

78%

67%

2%

23%69%

Cloud App Benchmarking Becoming Standard PracticeThe survey results also indicate that most organizations have taken a methodical and structured approach to the evaluation of cloud applications. Since the tide has long turned against trying to discourage or even sanction users against shadow IT, the approach now is to maintain a registry of approved cloud applications.In turn, this means that many information security professionals have a more explicit set of benchmarks by which to eval-uate the security and compliance attributes of cloud applications. Almost 89% of all respondents reported that they have a specific set of security, compliance and data benchmarks for evaluation before they are sanctioned for corporate use.The good news is that many see cloud application providers as making good progress, given both adoption trends and how prominently cloud application provider compliance standards figure in their decisions. This prominence may reflect persistent internal opposition to moving sensitive data to cloud applications. One potential consequence is that cloud ap-plication providers that are the most proactive in meeting these requirements will benefit the most when enterprises move critical business processes to the cloud.



Figure 7: Please select from the list which benchmarks are included when evaluating cloud apps

Cloud provider datacenter and operational certifications (e.g., SOC)

Cloud provider compliance certifications (PCI, HIPAA, SOX, etc.)

Cloud provider breach detection and notification policies

Cloud provider encryption of data at rest for stored data

Cloud provider administrative access controls and monitoring

Cloud provider continuity and disaster recovery, including DDoS mitigation

Cloud provider configuration management policies

Cloud provider API security and governance


0% 10% 20% 30% 40% 50% 60% 70%

Cloud provider customer instance isolation and data classification policies



Cloud Data Access Monitoring Anxieties: Risk Management Takes Center Stage The challenge that enterprises have now grasped is that it’s their responsibility to ensure that once their data is in the cloud, it is secured not only via encryption of data at rest, but also from misuse by their own users or attacks exploiting stolen enterprise credentials. Although certainly plenty of organizations have concerns about whether they can build out com-prehensive threat models for cloud applications, many have more practical concerns about compliance failures resulting from users inadvertently exposing sensitive data. While encrypting everything is not always a recipe for a harmonious rela-tionship between business users and the CISOs, not applying encryption when compliance mandates or corporate policies require the control significantly elevates risk.It’s an information security truism that you can’t control what you can’t see. By extension, you can’t apply analytics if you have no controls in place to generate an event feed and logs. The reason traditional data-access monitoring falls short for cloud-access monitoring is that it’s based on these assumptions. Now that cloud service providers can provide a steady stream of granular, field-level events on data usage that can be tied back to specific user profiles, coupled with insights derived from metadata, existing models are easily exposed as inadequate.By contrast, the ability to intelligently apply policies based on a combination of granular insights and analytical output about the data, user attributes and incremental telemetry such as user location represents a significant advance over current ap-proaches. Applying an analytics-driven risk model to these inputs has long been held out as nirvana by CISOs. The irony is that nirvana may be closer to their grasp in the cloud – if they make the appropriate investments in tools, processes and workflows.It seems unlikely, however, that those investments will be made in more traditional approaches. Only one-fifth of all respon-dents indicated that on-premises tools comprehensively meet requirements for data classification, protection and access monitoring for cloud environments. Certainly, 43% of respondents (a slightly higher number in the UK and a significantly lower number in Germany) indicated that the current tools address their near-term requirements. The caveat is that these near-term requirements will rapidly evolve as a result of the clear intentions to move more sensitive, regulated and propri-etary data to the cloud.

Figure 8: To what extent can existing on-premises tools for data classification, protection and access monitoring meet the data integrity and audit requirements for cloud environments?

Don’t Know 1 - Not at all sufficient

2 - Partially sufficient - source of policy logic

US/Canada

UK

France

Germany

Total

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

4 - Addresses most near-term needs

3 - Partially sufficient - can integrate with target service

5 - Comprehensively meets requirements



Putting Prevention into Practice: End-User Monitoring Takes Center StageThe importance of being able to detect and remediate suspicious end-user access to sensitive data in cloud applications is overwhelming for survey respondents. This response suggests to us that not only has a clear distinction emerged between compliance and security and risk management, but that visibility and insight into the interaction between cloud data and usage is the risk that causes the most anxiety. Granted, some of these concerns may stem from the desire for comprehen-sive logging and audit capabilities for cloud data. However, the level of importance attached by almost three-quarters of respondents reflects a desire to assume a more proactive stance to security and compliance – as well as customer privacy.Certainly, the emphasis that emerges from these survey responses on prevention is consistent with a broader shift to a risk-centric posture, or what has been described as situational awareness. In more practical terms, it means that ensuring encryption is in place is as important as knowing whether access to the data is appropriate. Enterprises are moving to a more holistic approach that assesses activity and usage in multiple dimensions, and applies analytics based on either threat models or historical transaction patterns to better detect suspicious activity or, ideally, breaches.

Figure 9: How important is the capability to detect and remediate suspicious end-user access to sensitive data in cloud applications, whether as a result of employee error, potential insider malfeasance or stolen credentials?

Don’t Know 1 - Not at all important

2 - Somewhatimportant

US/Canada

UK

France

Germany

Total

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

4 - Very Important

3 - Important 5 - Critical Requirement

Prevention is Not the Cure Without Protection: Data Encryption Goes Better with Access MonitoringWe should note that while our analysis points to risk management and prevention of inappropriate data access and usage is now figuring as integral to the broader question how to expand cloud application adoption, encryption at rest remains a cornerstone of cloud application security and critical to migration of regulated data. And, as additional survey data sug-gests on the mix between third-party tools and platform capabilities, native platform encryption is where enterprises plan to invest significantly.Encryption of data at rest is ultimately an enforcement mechanism, which is ideally enforced based on incoming authori-zation assertions or values. Once a user has authorized access to the data, it is no longer encrypted. The question then im-mediately shifts to whether the access and the data usage are appropriate. In order to evaluate whether encryption of data at rest is proving effective in limiting access to sensitive data, data classification, monitoring and analytics come into play.The perception is reinforced when we asked CISOs how they perceived the relative importance of migrating more PII data into cloud environments able to natively encrypt data at rest through platform provider tools, as well the ability to imple-



ment controls for threat-detection intelligence and monitoring of data leakage or inappropriate access. The responses were practically identical in their distribution; at least 85% of CISOs viewed the two capabilities as important to migrating regulated and sensitive data to cloud applications.Investment in encryption of data at rest is, of course, driven in part by specific compliance language, while end-user-access monitoring is not explicitly prescribed by compliance mandates or regulation. However, the overwhelming response sug-gests that protection in the form of encryption of data at rest, and prevention in the form of end-user-access monitoring and data protection are two sides of the same coin for the future of cloud application security.

Figure 10: How would you rate the ability to implement controls for threat detection intelligence and monitoring of data leakage or inappropriate access to address concerns about moving more PII data into cloud environments? Please rank on a scale of 1-5 with 1 not at all important and 5 critical, as follows.

Don’t Know 1 - Not at all important

2 - Somewhatimportant

US/Canada

UK

France

Germany

Total

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

4 - Very Important

3 - Important 5 - Critical Requirement

Putting Your Money Where Your Risk is: 2016 Investment Outlook In-creases Focus on Monitoring and AnalyticsIf we can conclude that risk management has drawn even with compliance as a primary concern for moving sensitive data to cloud applications, and that the current tools to address risk management anxieties are centered on monitoring data us-age and detecting suspicious behavior, it’s appropriate to ask how and to what extent enterprises will be moving sensitive, regulated or proprietary data to cloud applications.In the first section of the report, we noted that 44% of respondents indicated that half of their cloud applications store sen-sitive data in the cloud, and 84% of respondents indicated that they plan to move more critical business applications that process secure workloads to cloud applications in 2016 (93% of respondents in the US and Canada reporting affirmatively to the question). However, when we framed the question in more specific terms, the number moved down materially: roughly 69% of survey participants plan to move more workflows that use PII and PHI into the cloud as a result of increased investment. We would highlight two aspects of this response: First, the intention to move more regulated data into cloud applications is conditional on additional investments in security tools. Second, we would also point out that this response was across the board – not just from those that were already down the path of moving data covered by specific compliance mandates to the cloud.Clear regional differences emerged in terms of intentions, with North American respondents notably more optimistic about the prospects.The question of how enterprises plan to move their sensitive data to the cloud is revealing. Compliance certifications and auditor signoff are obvious prerequisites for moving regulated data to the cloud. But we can work backwards from planned investments, anxieties about end-user monitoring, data protection, as well as the technical reasons for not moving to the



cloud to posit what have emerged as the major concerns for the next phase of cloud application adoption. We would even go so far as to suggest that these concerns extend beyond specific compliance mandates to all data that has value to the enterprise – including proprietary and customer data. These major concerns are:

� Lack of visibility into the state of data in cloud app environments � Ability to detect suspicious data usage and effectively limit access via encryption � Integration of real-time intelligence with enforcement � Maturity of tools – control and monitoring still seen as falling short of requirements � Effective encryption of data at rest, especially for regulated data

We should also note that this question probably elicited the widest range of regional variation. Particularly notable is that more organizations in North America identified data residency issues as a concern than did their counterparts in the UK, Germany and France. This likely reflects the changes in what were known as the Safe Harbor provisions and the new re-quirements under the Privacy Shield agreement. Since EU companies have already been subject to privacy requirements for some time, the relative uncertainty of the Privacy Shield requirements could likely give pause to some US companies.

Figure 11: What are the reasons for not moving workflows?

Require regulatory approvals for broader adoption and use of PII/PHI

Data residency concerns

Ability to apply automated encryption at rest to sensitive, confidential and proprietary data

Need for real-time monitoring of data activity

Comprehensive threat intelligence and modeling for cloud data to detect anomalous

Ability to apply risk-based approaches to preventing security threats or compliance violations in real time

Complexity of security solutions

Ability to maintain same level of security and audit capabilities in the cloud as currently have on premises


0% 10% 20% 30% 40% 50%

As expected, regulatory approvals are a concern. In addition, conformance with data-residency requirements is a critical consideration. However, risk-centric concerns, monitoring, threat modeling and maturity of tools are far more prevalent as obstacles to migrating regulated data.Moving to specific technical capabilities, we see precisely those areas that were flagged as obstacles to broader adoption appear as primary areas of investment. Certainly, categories that currently draw investment and that map to compliance requirements – specifically access control and data encryption – remain areas for significant focus. We would point out that there are certainly solid security rationales for investing in identity and access management and data encryption, putting aside compliance concerns. However, those capabilities that we have identified as being critical for effective risk manage-ment are close to drawing even or surpassing what have been driven by compliance concerns.



Figure 12: What are your primary areas of planned investment?

User activity logging and auditing

Monitoring and reporting

Data classification and data loss prevention

Encryption of data at rest

Encryption of data in flight

Identity and access management

Advanced analytics and threat modeling

Risk-based threat mitigation and remediation

API management and integration


0% 10% 20% 30% 40% 50% 60% 70%

Platform Security Spending To Rise in 2016So what are the implications for enterprise security investment? The results for planned investments in 2016 suggest a heavier emphasis on tools for cloud application providers at the expense of third-party tools. To provide a comparison, 78% of respondents indicated that they currently employ native cloud application provider capabilities to secure their cloud applications, compared with 55% who indicated that they use third-party tools.The growing focus on moving beyond compliance-led controls and logging toward monitoring and usage analytics is, in turn, driving ongoing investment in cloud application provider platform security, as well as third-party tools. Third-party tools can still be implemented for what might be called cornerstone cloud application security needs, including access control, authentication and data encryption, as well as for extending platform-provider tools.However, we see organizations looking to third-party providers for more sophisticated needs, spanning visibility and moni-toring to usage analytics, risk profiling, and orchestration of security and risk management workflows. This mixed approach to security investments looks likely to continue, although with investments increasingly tilted toward platform tools.



Figure 13: How do you secure your current cloud apps?

US/Canada

UK

France

Germany

0% 10% 20% 30% 40% 50% 60% 70% 80%

Native cloud provider platform capabilities Third-party security tools Don’t Know

90% 100%

66%

2%

4%

42%

40%

57%

84%

77%

80%

67%

Figure 14: Which third-party cloud data security, compliance and governance tools are currently in use?

Identity management as a service

SSO and federation as a service

Cloud data security gateways - including encryption

Data classification and data loss prevention for cloud applications and services

Auditing and logging of cloud access and usage

Data classification and data loss prevention for cloud applications and services

Advanced analytics and machine learning

Malware analysis and detection


0% 10% 20% 30% 40% 50% 60% 70%



That these elements are consistent across multiple categories should not come as a surprise – they point to the next phase in the evolution of cloud application security. Access and authorization control requirements hold whether the user is ac-cessing on-premises resources or cloud-based services. Also, where access is effectively remote for cloud applications, there is a need for authentication to validate the user’s identity. Likewise, encryption at rest is critical to compliance requirements, but also meets the need for control over corporate or enterprise data that resides in a third-party environment.The ratio shifts when viewed in the context of spending intentions: 67% of respondents indicated an increase in platform or service provider tools in 2016, compared with 39% who reported plans to invest in third-party tools. It should be noted that the comparison is skewed somewhat by those reporting no plans to increase investment at just under 13%.

Figure 15: Do you plan to invest to increase investment in cloud app security tools in 2016?

US/Canada

UK

France

Germany

0% 10% 20% 30% 40% 50% 60% 70% 80%

9%1%

15%

8%

21%

39.00%78%

63%

62%

55%

3%

2%

3%

Yes - increased investment in platform or service provider tools

Yes - increased investment in third-party tools

No plans to increase investment Don’t Know

36%

46%

37%

If we look at the top spending categories, especially data security, they might be more directed to cloud application provid-er capabilities. Certainly, native platform data encryption at rest is on the upswing at the expense of gateway alternatives. Equally, spending intentions by larger enterprises may be ahead of the current capabilities of third-party tool vendors. After all, roughly 71% of respondents indicated that their security and compliance needs are more complex than the cur-rent tools – from both platform providers and third-party tools – can support. Only one-quarter of respondents indicated that their security needs were not more complex. Between now and the end of the year, delivery on roadmaps or shifts in roadmaps driven by a greater emphasis on real-time activity monitoring and consumption of real-time events could result in a modified ratio.The shift could also point to a shift toward a more fluid mix and match model enabled by an API-centric model. This position is supported by the response to the question about whether there are concerns regarding the security extensibility of the cloud application provider’s APIs, where two-thirds of respondents identified it as an issue. It is further reinforced by the follow-up question where we asked whether the lack of extensibility was a hurdle to broader cloud adoption, and 84% of respondents reported in the affirmative.



Figure 16: Does your organization have concerns about the extensibility of security provided by your cloud service provider via a set of well-supported APIs?

Yes No Don’t Know

US/Canada

UK

France

Germany

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

24%

50%

22% 6%

8%

1%

4%

25%

75%

46%

72%

67%

Figure 17: Do you perceive the lack of extensible security and governance tools that are easily integrated via APIs to be a hurdle to broader cloud architecture adoption?

Yes No Don’t Know

US/Canada

UK

France

Germany

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

12%

13%

18%

87%

88%

83%

76%

11% 6%

6%

1%

APIs are not only useful as tools to lower integration costs and enable automation. Certainly, enterprises share risk profiles with other companies within their own vertical, and in many cases, their appetite for risk is determined by third parties such as regulators. But there is enough variation around the mean that enterprises will want to retain some ability and flexibility to configure and dial their own risk management programs. The reason why this study finds such a markedly negative response to the state of cloud provider APIs is because they want to continue to extend their capabilities via integration, and are leery of a ‘one size fits all’ approach. Customization is stan-dard operating practice for all other cloud application features and functionality, after all.



RecommendationsAvoid a ‘one size fits all’ approach: There is, of course, an incentive for both platform providers and third-party tool vendors of cloud application security to address as generalized a market need as they can. But there are indications that CISOs will not be satisfied with a general approach to their specific needs. Platform providers will need to go deeper in terms of their native capabilities, while third-party tools will need to go wider to pro-vide analytics and monitoring across the cloud application estate. Platform providers will need to provide more robust APIs, while third-party tool vendors will need to invest in the ability to siphon out real-time events and build out threat-modeling capabilities.

Test, test and test again: Forward-looking CISOs will admit that their challenge is modeling for new, unantici-pated threats that will inevitably emerge as data with higher economic value to attackers moves to the cloud. Also, the end-user propensity for inadvertent compliance or policy failures isn’t magically mitigated because the data is in the cloud. This means that tools should be tested for the ability to detect anomalous activity such as access from different physical locations and IP ranges, as well as for behavior patterns that suggest corporate credentials have been hijacked. Testing should also be implemented to evaluate whether policy violations can be flagged with a high degree of certainty. False positives are equally damaging because they undermine user confidence in security tools and prompt workarounds.

Put internal stakeholders at ease, but avoid complacency: Although new data-residency requirements will strengthen the hand of cloud naysayers, there is plenty of work that can be done by CISOs and platform pro-viders to sway negative perceptions. Equally, cloud applications should be consistently evaluated and internal controls tested. Just because users can be more secure in the cloud, doesn’t mean they will be without the right processes and risk mitigation workflows in place.

Balance risk mitigation with ease of user access: Many organizations have found effective ways to coopt un-sanctioned cloud application usage. The next step is to work with users to formulate workflows and integration of risk-mitigation processes such as step-up authentication in ways that are minimally disruptive. This goes hand in hand with planned investment in analytics and monitoring but also requires security teams to find the happy medium between control and efficient business processes.

Leverage the power of field-level data and metadata: As we’ve noted, nirvana for access-usage monitoring is to be able to evaluate a transaction in real time based on data and user attributes, along with other contextual telemetry. Because of cloud application design methodologies and efforts by providers such as Salesforce to expose metadata, there’s potential to move that vision closer to practical reality. The onus is on customers to invest in the development of policies that leverage all the granular information and insights, and build out workflows that incorporate risk assessment – but without turning enforcement into a sledgehammer instead of a gentle nudge.

What’s Next in Cloud Security - Salesforce.com€¦ · ant by 55% of survey respondents and a...

Documents

Transcript of What’s Next in Cloud Security - Salesforce.com€¦ · ant by 55% of survey respondents and a...