Over the past few years, your security infrastructure has likely become a lot less effective. No, I’m not referring to the advanced forms of attacks that you’ve been reading about - APTs, polymorphic malware, and the like (though those are certainly a contributing factor). Rather, I’m talking about a series of changes that have resulted in your security infrastructure being completely irrelevant - mobile/BYOD and SaaS.
With the rise of the BYOD and SaaS trends, a greater percentage of traffic exchanged between users and applications happens entirely outside of the corporate firewall. Users access applications like Office 365, Google Apps, Salesforce.com and Box.net directly over the Internet, rather than using a VPN into corporate. When this happens, your firewall, IPS, next-generation threat protection technologies, and any other security device you have put in place is entirely blind to the traffic, rendering it useless.
In this environment, enterprises need to regain control and visibility in three areas:
Visibility and Analytics - For enterprises in heavily regulated industries, there are third party compliance requirements forcing the issue. For all customers, however, getting insights into anomalous user activities, potential data loss events, and user behavior across all applications is a cornerstone of effective security strategy.
Data Protection - Information Security exists solely to protect data - the secret sauce, intellectual property, crown jewels of many of today’s enterprises. With no ability to protect data, information security can’t do its job.
- Identity & Access Management - since users are no longer constrained to a physical location, identifying them and providing access to the data and applications they need, when they need it, is paramount.
The SaaS apps themselves typically have some protection mechanisms in place, but they are sporadic and even non-existent across a large number of the biggest SaaS apps. As an example, try getting User Access logs out of Microsoft Office 365 or Salesforce.com - they are not provided.
In order to solve this issue, there are a couple of options that an enterprise can take, none of which truly solves the problem:
Prohibit SaaS applications from being used. IT is now looked at by The Business and by Users as an enabler, and increasingly, if IT doesn’t enable stakeholders to be as productive as possible, those stakeholders will find a way around IT policies. This is why “Shadow IT” has become such a huge problem in today’s enterprise.
Ensure that Users only access SaaS applications through a VPN, either a device VPN or a per-app VPN as found in iOS 7 and in Mobile Application Management (MAM) products. One major downside here is that today’s Users don’t want to be bothered with the overhead of establishing a VPN before they do their work - they just want to work. This is in addition to the performance degradation and additional bandwidth usage incurred when tunneling all of this traffic into corporate. Making matters worse, MAM solutions don’t typically work with native mail clients, native browsers, or a large number of SaaS applications, so they are, at best, an incomplete solution.
Build custom mobile applications. Not only is this approach too costly for many enterprises, but doing it across all platforms (iOS, Android, Mac OS X, Windows) makes it an absolute non-started from a budget perspective.
Take the risk of lost visibility and lack of data protection.
None of these options really meets the enterprise need, so a new class of products is required to solve these issues. Bitglass can help - take a free test drive of our beta.