The pressure is on for IT leadership to guide their organizations through digital transformation. Cloud services compose the modern toolbox for IT to accelerate and enable their businesses. Cloud platforms power more agile product development, better customer service, and big data processing solutions that can create a company’s competitive edge.
Digital transformation does not work without trust, however. Moving to the cloud without a security strategy tailored to cloud environments creates new risks to data. Security concerns can halt or delay the move to the cloud, hurting ITs ability to provide the best possible solutions for the business.
With the right tools and strategy, data can be safer in cloud services than anywhere else. To achieve this goal, security teams must understand where data travels in the cloud. Taking a cloud-native data security approach is a prerequisite to empowering the digital transformation business demands. That’s because cloud-native security maintains the velocity of the cloud, operating in tandem with your cloud services.
Understanding Your Largest Areas of Risk
Distribution of enterprise data in the cloud, from analysis of billions of anonymized cloud events across a broad set of enterprise organizations.
The first step is to take inventory of your assets. Cloud usage analysis allows the security team to take a data-driven approach to securing information in cloud applications, strategically investing in the areas of greatest importance.
In the early days of cloud adoption, organizations were most concerned with shadow IT, or cloud applications that employees adopted without IT’s knowledge. The total number of these services in use at a large enterprise can easily number in the thousands. Today, there is a tendency to overestimate the risk this category of application poses to organizations. Only 10 percent of enterprise data in the cloud is sent to unsanctioned applications. Half of that data goes to medium or low risk applications, leaving five percent of data sent to high-risk shadow cloud applications. While this is an area of risk to consider, data in sanctioned cloud applications poses a much higher priority to security teams.
Infrastructure-as-a-service (IaaS) platforms have risen to become the standard solutions for organizations to develop and distribute their own software. Adoption of these tools, largely led by IT, has contributed to a significant migration of workloads to the cloud, representing 24 percent of all enterprise data uploaded to the cloud.
The bulk of sensitive data in the cloud today exists in a handful of sanctioned cloud services that provide critical collaboration and file-sharing applications. These solutions allow employees to work more efficiently and collaborate across teams and with external business partners. Securing services like Office 365, Salesforce, Box, ServiceNow, and G Suite should be an organization’s greatest cloud security priority.
While these services provide best-in-class security features, the shared responsibility model of cloud services requires enterprises to ensure data is used, shared, and accessed in a secure way. This includes monitoring for and responding to data loss, insider threat, compliance risks, and more.
How MGM Resorts Approaches Cloud Security
Overview of MGM Resorts approach to securing cloud services
Let’s take a look at how an organization we work with has executed a cloud-native data security strategy in step with their digital transformation. Cloud services play a critical role for MGM Resorts International, helping to share and analyze data and power custom applications across 27 resorts and almost 80,000 employees worldwide.
Their cloud security priorities begin with their highest volume applications, which include Workday and Office 365. At the same time, they also need to manage security for IaaS platforms, data in custom applications, and shadow IT. Additional areas of focus include endpoint security, a SIEM solution, and device-to-cloud coverage for their data and threat protection.
MGM has architected a Security-as-a-Platform approach. Implementing a cloud access security broker (CASB) has allowed them to manage cloud risk across all services from a single cloud security platform. Integrating their CASB solution with network and endpoint security controls gives their security team end-to-end, device-to-cloud security coverage. This allows for features like threat protection and data loss prevention policies to seamlessly apply across all devices and applications – an architecture that addresses the unique risks of business-led digital transformation.
Guiding Principles for Empowering Digital Transformation
Key takeaways from how MGM Resorts approaches cloud security
Organizations like MGM have demonstrated a path for security to enable digital transformation. Their approach caters to the security strengths and challenges characteristic of modern IT business environments.
Security teams empowering digital transformation can learn from the defining principles of cloud security. Security should be a platform, not a group of point solutions. An end-to-end security platform ensures comprehensive coverage and consistency. Second, no organization can begin to secure data before they understand where and how it is being used. Take inventory of your organization’s assets in order to prioritize your security implementation. Finally, remember that the days of static perimeter security have passed. Identity is the new firewall, meaning the ability to access resources will be based on the individual and the context of their actions. When in doubt, the CSA Cloud Controls Matrix provides valuable, detailed guidance to organizations plotting the path of their own cloud security journey.