Out of control: Rethinking Corporate Cloud Security control

Previously, we identified six different cloud models and identified five different enterprise deployment models based on specific enterprise requirements. Enterprises may directly control specific cloud models and adopt a direct approach to security control, but when this level of control is missing, end-to-end layer pattern protection needs to reduce malicious and accidental threats.

End-to-end Cloud protection is not linear in nature, but is spherical in that the control fragment overlaps because of the flexible global business model, disruptive computing, and dynamic threats. Regardless of the possible intrusion vectors, layered protection can theoretically stop the attack or, at the very least, make an event warning to the security team of the enterprise. As the cloud continues to extend to the boundaries of the corporate network, these are urgent requirements, but in practice they do not exist in traditional forms.

For an enterprise that implements End-to-end security in the cloud, it must first focus on the scope of access, the scope of control, and the way in which the security controls for the cloud environment can and must apply.

Define control scope

The ability to apply End-to-end security control depends first on the enterprise being able to understand the scope of the access, which means understanding the type of device that connects the enterprise assets and the type of connection they are using.

For example, most businesses buy laptops for their employees, but the mobility of such devices means they don't always face the same threat. When employees bring their laptops home and connect through consumer-level networks or bad luck services, the use cases they run in the corporate web cloud environment change. This use case is changed once the employee is on a business trip because they connect to the corporate network with WiFi hotspots in the hotel and airport and conference center.

As the BYOD movement develops, companies expect employees to connect remotely via smartphones and tablet computers, at least to view corporate e-mails, Despite the risk of cloud-based applications like Salesforce.com, it usually means that employees perform more complex tasks on mobile devices, involving many types of data. This also represents another use case, and the same device is considered not to be managed. By moving the workforce, businesses should operate safely and expect each user to have at least four different use cases: office, home, travel and personal mobile devices.

End to end protection diagram

As employees move between different networks and clouds, the scope of their access is clearly changed. The scope of the enterprise's control has also changed, meaning that the enterprise must adjust the safety control, thus can handle these different control scope.

For example, accessing a specific data type based on a user's role may be limited when it passes through an external network. IT staff usually have 24/7/365 access to the enterprise, whereas temporary employees can access enterprise services only when authorized.

Risk biases can also affect access levels, such as when employees are subject to specific legal and regulatory content. Some businesses decide it is best to provide a sandbox virtual desktop for access to HIPAA-protected information. Typical configurations in such areas include the elimination of user executive power, the use of predefined applications, and access to the Internet strictly through the enterprise's firewall and content protection technologies.

Although once a user is transferred to an untrusted network, the ultimate enterprise's effective control over the trusted network no longer applies. For example, if the enterprise's firewall does not manage this connection, it is likely that the antivirus server upgrade definition file is inaccessible, and technical fixes are required.

Cloud Security Control

The development of a new cloud security control requires a systematic approach. The simple method of control design is the near and far effect. Basically, security controls need to stay away from users when they are on a trusted network, and to keep them close to the user when they are on an untrusted network. Therefore, when users operate in untrusted cloud environments, organizations should consider a large number of close-range security controls to prevent malicious attacks, including full disk encryption, robust password enforcement, local anti-virus, and local firewalls.

Cloud security control needs to be put in place, not always so direct, but as the scope of control changes, companies must prepare for similar transfers. The best example of controlling the threat reduction on the corporate cloud is content filtering, which essentially limits the type of Web site users may be accessing, thereby reducing the number of client attacks that are implicated by the Web server. However, if users go to untrusted clouds, such as hotels or even home networks, they may have a better degree of freedom when surfing the internet, bypassing the content filtering technology set up by the enterprise in the cloud, increasing the risk of client attack.

An unsupported use case is a trustworthy customer who, if connected to the corporate cloud, brings a completely different threat to the previous trusted environment. Without proper control, companies may not detect the malicious behavior of trusted customers, potentially causing problems, and reducing customer confidence.

Every scene needs to be controlled.

Whether or not an enterprise provides cloud services or buys services from a cloud provider, you need to understand end-to-end cloud security control, which requires reducing all possible threats. The security team must be aware that cloud security controls must change as the user's access scope changes. This also means that the technology must set rules in the right place between trusted and untrusted clouds to facilitate access through different devices and networks. Without such control, complex and professional attackers will inevitably find ways to attack the corporate cloud infrastructure.