Cloud security continues to be a hot topic, with no signs of slowing down, and a lot of enterprises still don't know what to do to solve these issues.
Cloud app vendors provide some level of security, but what gaps remain? Where does their responsibility end and IT's responsibility begin? It really depends on the app itself - there is no consistency in terms of what cloud app vendors take on. Salesforce's stance on security is different from Box's which is different from Microsoft's with Office 365.
Let's drill down into Google Apps and talk about the key things that you need to put into place above and beyond what Google provides in order to maintain security over your corporate data.
1. Plan for security
You're here reading this blog post, so there's a good chance you're either planning ahead, or you jumped headfirst into the cloud only to realize that it's actually made of water vapor and you're now plummeting helplessly to earth looking for some soft ground to land on. Either way, outsourcing an application to the cloud doesn't mean you outsource all security to the cloud as well. At the end of the day, you are still responsible for the security of corporate data much like you are with internal applications. This means taking the time to plan out policies, communicate them to employees when necessary, and execute.
2. No more fake IDs
According to Bitglass survey data, only 6% of Box customers and 9% of Salesforce customers are using Single Sign-On to access these applications. The numbers are very low for Google Apps as well.
So what is everyone else doing? Some of you are using things like Google Apps Password Sync to synchronize AD passwords to Google, but most customers that I talk to are creating separate credentials for users directly in Google Apps itself. This means separate usernames and passwords for every user in your organization.
The downside of this approach? More passwords means higher likelihood that users will forget them. That means more help desk calls and more passwords written down on sticky notes. While it may take more time up-front, employing a Single Sign-On solution will ensure that your employees have only one password to remember and manage. It also makes things like deleting users easier - deactivating their account in your Single Sign-On system or AD will automatically ensure that they cannot access apps like Google Apps after they have left the company.
3. The Eye of Sauron sees all
Sounds sinister. One of the big issues that our customers talk about when moving to cloud apps like Google Apps for Business is the loss of visibility associated with the move.
For some customers, compliance and audit are the big drivers - there is some sort of regulatory hurdle that they must clear as a prerequisite to adopting any cloud app. For others, it's security - they want to know whether Dave downloaded a bunch of sensitive information right before taking a job with a competitor, for example.
In either case, cloud apps like Google Apps don't provide the visibility necessary to achieve either of these goals. You'll need to look elsewhere to get visibility into who is doing what with Google Apps. To ensure that the important stuff isn't lost in the noise, ensure that you invest in a platform that can alert on high-risk activities and provide information in plain English rather than simply providing an audit log of unreadable transactions.
4. Lock it up
Not all data is created equal. Some data is meant to be shared - marketing materials, as an example. Other data, such as the secret recipe for Coca-Cola, need to be kept secret. In actuality, the vast majority of corporate data falls somewhere between these two extremes, along a spectrum where varying levels of security need to be applied.
In some cases, there is data such as credit card numbers and customer data that you never want on endpoint devices. For those cases, you'll want to employ a solution that can keep data from being downloaded. In other cases, you want data to be fully accessible by employees, but keep tabs on where it's going. In those cases, a solution that can tag and track corporate data might be a good solution.
Of course, all of this cloud application data is being downloaded to mobile devices, both corporate-managed and BYOD, so you need to protect that point of consumption as well, so employing a BYOD security solution is of paramount importance. After all, there's no point in locking the back door if you leave the front door wide open.
Bitglass can help with many of these Google Apps security challenges - find out more here.
What other best practices for Google Apps security have you employed in your organization? Share them in the comments section below!