Rajan Kapoor, Senior Manager for Trust and Security at Dropbox, stressed the importance of usable, universally adoptable services for long-term enterprise security.
Kapoor's talk at the 2016 Chief Information Officer Leadership Forum in Chicago on March 9 focused on the three pillars of successful adaptation of cloud solutions: security fundamentals, enterprise readiness, and user adoption.
Kapoor began with some negative trend lines. “We know the trends for cloud security are often not good. I’m not here to give you an account of all the risk factors. Your job is to find solutions so that these trends don’t matter.”
“We know the trends for cloud security are often not good. I’m not here to give you an account of all the risk factors. Your job is to find solutions so that these trends don’t matter.”
Solutions that get us around the scary headlines depend on users being willing and able to use what you give them. Kapoor’s talk can be summarized in four words: User adoption drives security. This might sound counter-intuitive, said Kapoor, but security isn't to be found in check boxes, which only give the illusion of control through curtains, veils, and permissions. "That’s why even if you get the first two right, user adoption is crucial."
Security fundamentals are tangible. Work with partners who'll keep your data secure and put you first, Kapoor advised. Features to protect users include: 2-factor authentication and remote wipe capabilities. Current compliance standards are: ISO 27001/27002, ISO 27018/27017, HIPAA, and SOC2/SOC3. Data must be encrypted while stored and in transit—this is non-negotiable, he emphasized.
On the issue of readiness, Kapoor stressed that the days of an enterprise having a monopoly on infrastructure are over, so the cloud is entering your enterprise whether you like it or not. Users are tempted to bring in their own cloud solutions when they don’t have an approved tool in the box, which leads to security issues. Your employees are usually not malicious or careless; they're simply looking for the most efficient ways to get work done.
In fact, "ninety percent of cloud services in use by the average company are introduced by employees without the knowledge of the IT department." But before you go banging on cubicle walls telling people to take your data back down from the cloud, ask yourself why they went there in the first place.
Enterprise readiness can be summed up in two ideas. Make sure the solution you select uses open APIs, and make sure you have a healthy partner ecosystem so your data can flow easily. Beware the unicorn of all-in-one services, Kapoor warned. "Instead, think of a good architecture as one with hooks that allow you to drop in solutions as needed. Look for services that you can slot in that are open, agile, and flexible." That way, you’ll be future-proofed and have good data flow.
What does it look like when you do it right? Kapoor gave an example of a Big Five publishing house. Once upon a time, authors, editors, and designers had no common platform by which they could send out text, await and incorporate multiple sets of comments, design cover art, camera-ready copy, etc. Once an in-house, universally adoptable service became available (Dropbox), even as data left the principals, nothing leaked out in a way that presented a security issue. Dropbox was able to tear down the silos while still allowing data to flow safely to all parties.
Kapoor encouraged his audience to keep a realistic attitude. We’re used to thinking of the cloud in terms of either of two extremes. "The cloud is either a scary place where your data is at risk and where users are dumping data without your knowledge, or it's a magically happy place where you can be a hero/ine to your organization.”
We’re used to thinking of the cloud in terms of either of two extremes. “The cloud is either a scary place where your data is at risk and where users are dumping data without your knowledge, or it's a magically happy place where you can be a hero/ine to your organization.”
In reality, the cloud is what you make of it.
ABOUT RAJAN KAPOOR:
Rajan is a Senior Manager for Trust and Security at Dropbox. He works to champion privacy and security principles for Dropbox users and employees. Above all, Rajan works to keep Dropbox worthy of trust. He joined Dropbox in January 2014 with over 13 years of experience in Information Technology. Previous roles include the CTO of Van Wagner Communications and Director of Technology at Eurasia Group.