During a security panel I moderated a few months ago, a chief information security officer (CISO) half-jokingly said he felt like success for him was based on how fast he was willing to give up control of his IT environment. I understand the sentiment, as the rises in mobility and cloud do seem to be taking control away from IT and making the environment less secure.
The rise in "shadow IT" has exacerbated the problem, as more business leaders make cloud services decisions without IT's knowledge. The ZK Research 2016 Security Survey found that respondents at a whopping 96% of companies are using cloud services that aren't sanctioned by IT. I'm guessing the remaining 4% of respondents are with organizations like the National Security Agency or simply don't know.
While chatting with this CISO after the session, I told him he was thinking of the problem in the wrong way. I'll admit, the business often does circumvent IT, but IT can't just throw its hands up and cede control. Rather, IT needs to shift control to a place where it can implement and enforce policies. Let's say IT doesn't have control of mobile endpoints. That makes the next closest point the access point (AP). So, instead of putting agents on mobile devices, IT should apply some sort of authentication technology ( 802.1x, for example) at the AP.
The cloud presents a different challenge since the enterprise network doesn't physically extend out to the service. Cisco took a big leap forward in its efforts to address this challenge with the decision to acquire CloudLock, a $239 million deal announced earlier this week. The acquisition was the fifth for Cisco this year, and the 15th since CEO Chuck Robbins took the company's helm. (Interestingly, most of these acquisitions have been related to cloud or security, showing the importance he puts on this problem.)
Brokering Cloud Access
CloudLock is one of many players in the burgeoning cloud access security broker (CASB) space. As defined by Gartner, CASBs are "security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on." CASBs, in other words, help companies control and secure the cloud, thus enabling them to adopt cloud services faster.
However, most CASB providers use a proxy architecture using on-premises physical appliances. CloudLock, on the other hand, is a cloud-native service that uses an API-based approach to deliver detailed information on cloud service users and usage habits. For example, CloudLock can tell if an employee is accessing sensitive data from an insecure location, and then prevent the user from doing so. This could be useful for hospitals, financial services companies, or other regulated industries -- or any organization that wants to prevent exposure of sensitive information.
CloudLock works with almost any cloud offering, whether it's purchased, custom-built, or delivered as a service, in any form -- SaaS, IaaS, PaaS, UCaaS, and so on -- with no code required from the customer. It obviously supports all the big cloud apps like Salesforce.com, Google Apps, Workday, and Microsoft Office 365, but also the long tail of niche and vertically specific ones.
Pick Your Policy
CloudLock has a discovery product that helps IT uncover what services are in use throughout their organizations. From a CloudLock dashboard they can then pick and choose policies to apply.
IT can set policies by device, geography, user, time of day, or a number of other factors for granular policy enforcement. CloudLock generates alerts when policies are violated. As one example, if a worker attempts to access different applications from two countries at the same time, CloudLock can generate an alert, much like the way credit-card companies operate. Likewise, if a worker tries to transfer information from something like Salesforce.com to a personal Dropbox account, CloudLock can issue an alert. IT can use CloudLock as a data loss prevention (DLP) solution for the cloud, protecting the company against insider breaches, which represent a much bigger problem today than external threats.
At less than five years old, CloudLock is a relatively young vendor. Its three founders, however, have deep security backgrounds. Gil Zimmermann, CEO, and Tsahy Shapsa, VP of business development, are veterans of the Israel Defense Forces, and Shapsa also served as security team leader for the Israeli Prime Minister's Office. CTO Ron Zalkind has held a number of engineering positions in the private and military sectors, including stints with the Israel Air Force and Interwise (now AT&T). To date, the company has racked up more than 700 customers, including a number of big name ones such as the U.S. Army, Enterprise Rent-A-Car, DreamWorks, and Whirlpool.
In many organizations, the cloud creates tension between the lines of business and the IT department. Business leaders want to move fast, but IT needs to slow them down to understand the implications. CloudLock gives IT the control it needs, which can speed up cloud adoption. Given Cisco's focus on security and cloud over the past few years, this acquisition should flourish when dropped into Cisco's channel.