SAN FRANCISCO — Shifts in cloud server architectures over just the past few years are outpacing efforts by corporate information security professionals to keep up with them.  

As a result, organizations may have actually regressed in their IT security stance as they shift a greater share of their applications and services off-premises.

That’s the emerging theme, either implied or stated outright, by speakers at the 2016 Cloud Security Alliance summit, part of the RSA Conference taking place here this week.

“We are behind the curve,” said Mark Nunnikhoven, vice president for cloud research at security services provider Trend Micro, during a morning session here. He noted that new things are being built faster than options to secure them.

“This is a constant challenge. This something that we’re not going to be able to solve any time soon, and just the nature of the game.”

The Loser’s Game

It’s one of the most frank acknowledgement we’ve heard in a conference of this nature about the widening gap between information security professionals and the systems they’re hired to protect.

Large organizations may be subscribing to hundreds of cloud-based Software-as-a-Service (SaaS) applications at any one time, and in some cases without the full knowledge of anyone in an oversight capacity.

Security is being baked into these SaaS applications more and more, Nunnikhoven and others make clear. But in a strange way that’s also part of the problem: Each application may utilize its own means to enable access and identity security, and for each new one the organization takes into account, the problem of securing them all together only compounds itself.

“You are always responsible for the security of your deployment, regardless of where it is,” Nunnikhoven told the audience of some 1,500 security professionals. “You are not going to be able to turn around and say, ‘Well, I got the service from him, it’s his fault.’”

SaaS providers take a greater share of the responsibility for securing such components as customers’ personally identifiable data (PID) than, say, IaaS providers that essentially stand up virtual address space for customers’ own systems.

Nonetheless, borrowing a page from Ronald Reagan, the Trend Micro VP suggests that organizations “trust, but verify” the security claims that SaaS providers make.

Rock the CASB

Still, that verification process gets more difficult as the number of SaaS providers being verified increases. Some experts here are calling for greater acceptance of a concept called cloud access security brokers (CASB, pronounced “cas – bee”), which begin the process of centralizing policy management for institutions that utilize multiple SaaS applications, many of which need to be or to become interoperable.

CASBs are not people but rather programs, designed to enforce company-wide access policies. There’s disagreement here today on how CASBs should be delivered, with some preferring they be encapsulated in on-premises appliances under watchful IT or DevOps control, but others saying cloud-based “CASB-as-a-Service” is actually more reliable.

“CASB is a centralized control point,” stated SkyHigh Networks co-founder and CEO Rajiv Gupta, “for making sure that your employee use of the multi-cloud services that you’re responsible for, is meeting your security and compliance requirements.”

Passing up the opportunity to encapsulate network functions as appliances, as his company is known to do, Cisco chief security and trust officer John Stewart told attendees that, from his vantage point, the geographic location of these centralized control points is a trivial affair.

“The control points themselves don’t have to be the installation of something sitting in a rack,” said Stewart.  “It’s just the fact that you know, for absolute sure, that you have the means by which to know what is happening in the layers in-between the activity that is being consumed, and the activity that is being provided.”

The Weakest Links

During today’s CSA sessions and discussions, the point was made that while major SaaS apps like Salesforce can demonstrate high commitments to customer security, they are in themselves ecosystems for the distribution of special purpose and line-of-business apps from smaller providers, many of whom can’t be so easily verified by Salesforce or by anyone else.

It’s the weakest points upon which malware feasts most. These days, experts here agreed, the most successful attack vectors are not new and technically dazzling manifestations of malicious wizardry, but rather the same social engineering exploits that plagued institutions 20 years ago.

The need for centralized control points, and the proliferation of the same old exploits, are leading some experts here to suggest that multiple SaaS applications from different providers could benefit from a single, standardized, open security API.  This way, monitoring tools examining traffic patterns would not need to be reconfigured for each new application – especially as employees install more of them, seemingly on a whim.

There’s a full five days of discussion on this and other issues at RSA in San Francisco for the whole week, and CMSWire will be here for the full week.

For More Information:

Title image of San Francisco skyline by photoeverywhere/stockarch.com