How to ensure effective security in an infrastructure as a service environment

by David Shephard, Vice President of Sales for Asia Pacific and Japan at Bitglass

Enticed by the benefits of reduced costs and improved flexibility, more and more organisations are adopting infrastructure as a service (IaaS) platforms. These platforms – provided by companies such as Amazon, Microsoft, and Google – offer scalable resources that can meet the ever-shifting demands of modern business.

While the use of IaaS provides readily apparent benefits, it can also create uncertainty and, consequently, risk. For example, many organisations that have deployed said platforms report decreased visibility and control over business-critical workloads, yielding a variety of new security challenges.

To enjoy the benefits of IaaS while staving off its risks, the enterprise must ensure that appropriate security precautions are in place. Corporate data needs to be protected at all times – at access, in the cloud, and in transit. To achieve this, organisations must manage their IaaS platforms’ management consoles, protect their data at rest, and secure connected cloud applications.

The management console

Whether an organisation is using AWS, Microsoft Azure, or Google Cloud, a management console serves as a gateway to everything hosted on an IaaS platform. For example, these consoles provide access to all virtual machines in use, offering the ability to stop and start VM instances.

In light of the above functionality, it’s important for organisations to differentiate between employees who require complete admin rights and employees who should remain standard users. Additionally, some employees might need intermediate levels of permissions whereby they can spin up new VMs but not terminate existing instances. The dynamic demands of daily business dictate that the enterprise manages this permission-granting process in a reliable, real-time fashion.

Protecting data at rest

In addition to securing access, organisations must employ sufficient protections for data at rest in IaaS platforms. This is particularly important when an enterprise handles sensitive data, like personally identifiable information (PII), that warrants a heightened degree of security.

Having continuous, comprehensive protection for data at rest is also critical for complying with various regulations around the world; for example, the European Union’s General Data Protection Regulation (GDPR). This can be achieved through security tools that replace sensitive information with indecipherable strings of characters, obfuscating data stored in the cloud.

Connected applications

Typically, when an enterprise is utilising an IaaS platform, its employees will make use of connected cloud applications in order to manipulate or process the data stored on said platform. Despite the fact that these connected applications have the potential to cause significant security problems, they are often overlooked by organisations seeking to protect their data.

For this reason, the enterprise must take steps to ensure that data remains secure as it is transferred between the data store and connected applications. To reduce the risk of data leakage, organisations must also have the ability to identify connected apps that should not have access to corporate data.

The role of a CASB

Deploying a cloud access security broker (CASB) can empower organisations to overcome each of the above challenges. Specific features that enable IaaS security include:

  • Identity: Like on-premises identity systems, cloud identity capabilities need to be robust and thorough. It’s vital that the identity of all users is confirmed before any access is granted to IaaS platforms or connected applications.
  • Access control:  Organisations need to have granular access control that can be tailored to match the needs of individual users. Relying solely upon allow and block functionality is not enough; intermediate levels of access are necessary for many employees. This type of access control is enabled by cloud DLP (data leakage prevention), another tool that can be provided by CASBs.
  • Tokenisation: This capability can obfuscate data at rest on cloud platforms while maintaining data usability for authorised employees. In other words, tokenisation enables security and regulatory compliance without harming user experience. Additionally, it can help to protect data as it moves from a cloud platform to a connected application such as a reporting or visualisation tool.
  • Audit and visibility: A CASB can provide visibility into users’ activities and alert IT teams in the event of suspicious or anomalous behaviours. Detailed logs record which users access data, as well as when, where, and how they access data. This functionality can prove particularly helpful when searching for the source of a breach. Additionally, comprehensive visibility is critical for enabling audit and demonstrating compliance with regulatory demands.

Flexible, cost-efficient platforms no longer need to be deployed at the expense of visibility and control over data. With a Next-Gen CASB that secures any app, any device, anywhere, organisations can confidently pursue an IaaS strategy.