BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

What To Know About Cloud-Based Security Amid Digital Transformation

Forbes Technology Council

Sundaram Lakshmanan, CTO of SASE Products, Lookout, Inc.

Modern enterprises have become more efficient due to the adoption of cloud technology. Operations are more scalable, and workers can stay productive from anywhere and on any device.

But as various business units speed through digital transformation, security remains stagnant and tethered to hardware. This is not necessarily the best option. Like other parts of the organization, security can also benefit from the cloud. In fact, I would argue that the cloud is now a requirement for security as data spreads across countless applications—both on-premises and in the cloud—and the internet takes over as the new corporate network.

To ensure sensitive data is secure while enabling productivity, you need to be able to make smart zero-trust access decisions that take into account both the fluctuating risk level of users and endpoints, as well as the sensitivity level of data. One way that companies are trying to get to that point is by moving away from deploying disparate products and looking for comprehensive platforms.

The cloud turned security requirements inside out.

Old-school security focused on locking down everything—apps, data and users all had to sit inside corporate perimeters and only managed devices were allowed. The philosophy also revolved around deploying disparate tools that solved a specific issue.

But as everything moves to the cloud and users work from anywhere, not only do you lose visibility and control but the challenges get more complex. This means having dedicated teams that are siloed from each other becomes unsustainable. Especially as cybersecurity continues to face a labor shortage, you need to be streamlining operations, not expanding them.

To support productivity when the pandemic forced everyone to work from home, organizations prioritized remote access tools like virtual private networks (VPNs) with bolted-on security tools claiming to enforce zero trust. But the issue is that these products only conduct security checks at the time of access.

What if an account was compromised by a phishing attack and starts to download sensitive data? What if a critical vulnerability on an endpoint’s operating system was discovered? The challenge with time-of-access posture checks is that the risk levels of users and endpoints change all the time.

To ensure you enable remote work while protecting sensitive data, security needs to be cross-functional. For example, data loss prevention (DLP) (paywall) provides deep insights into the type of data you own, but it’s generally not administered by the same people that own cloud services. Zero trust needs all your security tools to be working together, ensuring that access is granular and dynamic, which is why companies are turning toward cloud-delivered solutions.

What To Look For In A Cloud Security Platform

Even within cloud-delivered security, there are two components to look out for: risk-level awareness and content awareness. To ensure an organization safely realizes its full potential in a work-from-anywhere environment, organizations need to have an understanding of some key concepts when considering cloud-delivered platforms:

1. Risk-level awareness. You need a continuous awareness of the risk level of your endpoints and users, which changes all the time. By taking into account these changes, organizations can ensure that access is given and taken away in an ongoing manner.

2. Content awareness. This is the idea that you take into account the sensitivity level of the data someone seeks to access. Risk-based access mitigates threats related to users and endpoints. But to ensure access decisions are made efficiently, you also should reference the data itself.

3. Granular actions. Data awareness needs to extend into nuanced policy enforcement as well, to ensure productivity is not hindered. Zero-trust access decisions should not be binary. Granular actions such as watermarking, redacting keywords and restricting downloads are critical to ensure any risk is mitigated and that data is protected at all times.

4. Proactive encryption. Data protection needs to also go beyond your sphere of influence. Consider proactive encryption technologies that understand data sensitivity in order to ensure that the most sensitive data can only be accessed by authorized users, even if it’s passed around offline.

How do you get started with your security digital transformation?

All those capabilities I mentioned above sound great on paper. But implementing them is another story. Historically, organizations had dedicated teams for different functionalities: information security, network security, endpoint security, etc. Some of the common challenges with this approach are:

1. Enterprise security often lacks a "vision:" Different departments move at different paces within large organizations, which can make it difficult to produce a combined vision or roadmap for security roll out. Sales teams and marketing teams, for example, often move to adopt cloud platforms much sooner than finance, HR or engineering teams.

2. Security is reactive: IT teams may be burdened to support legacy solutions while supporting these expansions. To overcome these burdens, find the right projects to kick start security digital transformations.

3. Security carries a control-first mindset: Securing the work-from-home workforce and cloud technology needs a "productivity-first" mindset. The security functions today in organizations are used to "security-first" or "control-first" mindset. Saying "no" is not an option anymore for IT teams.

4. Cloud and cloud applications are game changers in enterprise business delivery: There will be a steep learning curve during the initial phases of the security digital transformation project. The security teams, before they re-learn the cloud delivered security controls, will also have to learn the nuances of the cloud services and applications before they can effectively secure them.

To conclude, with data and users residing everywhere, organizations need to rethink the way security has been delivered historically, but among cloud products, you need to ensure that you have all the telemetry and policy enforcement capabilities needed to efficiently enforce zero trust. In short, it’s not just where your security is delivered from, but how they work with each other.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on LinkedInCheck out my website