Making sense of cloud-based security


20 November 2014
Sumit Bansal of Sophos

As businesses become more globalised, many organisations are leveraging new technologies to give their employees access to information and the corporate network outside the office. While mobility and Bring-Your-Own-Device (BYOD) do offer significant productivity advantages, this makes organisations more vulnerable to cyberattacks. Security managers are also daunted by the lack of security planning, legal compliance issues, the complexity in securing a groundswell of devices accessing enterprise data from anywhere and BYOD risks.

As the Personal Data Protection Act (PDPA) comes into force in several ASEAN countries including Singapore and Malaysia, there is also extra pressure for organisations to comply with data regulations and maintain data security of their customers. Organisations must not only be on the right side of the law, but also give customers the confidence that their data are in safe hands.

In addition, there are also security challenges presented by BYOD. The security software and policies of many mobile employees become outdated, and they are unable to access the network when they return from working away from the office. Therefore, the layered security approach which originally combines network security with local device configuration and software maintenance do not work.

With BYOD, customer lists, account numbers, marketing and business plans and other sensitive data are likely to reside on employees’ own computing and mobile devices. There is also the risk that mobile devices will be lost or stolen along with corporate and confidential data stored on it.

Mobility has compelled employees to be responsible for their own security. However, most choose to ignore it as they do not know how to install, update and properly use software. Employees may also unknowingly blur the lines between work and play by using work systems for personal tasks such as social media usage, which could give rise to social engineering opportunities by cybercriminals.

There can be security via the cloud

With these developments, organisations will need to adopt an adequate cloud-based or cloud-managed security product in order to achieve a balance between productivity, cost-effectiveness and security. This should be a product that upgrades automatically, has protection across data, endpoints, systems and devices, and does not require complex setups of servers or infrastructure maintenance.

Organisations should look out for the following features when choosing a cloud security solution:

1) Strikes a balance between protection and convenience
Effective managers always have the same advice: give employees what they need to be successful without getting in their way. It is therefore crucial to find a cloud-based security solution that can protect remote and roaming employees, while being easy to configure to guard against the latest threats. For example, a good chosen solution can enable an organisation to manage security simply and effectively with a single cloud-based management console, so that organisations can gain clear visibility and easily manage the myriad of devices and user behaviours. This can ultimately lead to cost savings and greater efficiency.

2) Secured endpoint access
The solution should include advanced anti-malware, web security and filtering, and mobile device management. It should also be able to secure not just Windows and Mac computers, but also mobile devices. Other traits to look out for includes protecting users from infected websites, enabling administrators to set safe and acceptable web use policy and web filtering, enabling BYOD by allowing organisations to easily manage mobile devices and security policies, and the prevention of unwanted removable storage devices such as USBs.

3) Web protection for users
Since employees are, to a large extent, managing their own security, a good cloud solution should also ensure safer web browsing and protection for end users. This includes protection from malicious and infected websites, and being able to detect and block exploit codes. The solution should also enforce safe and productive web usage such as a time-based policy to limit non-business related browsing and a predefined policy to set policies to address security and compliance requirements.

  • Sumit Bansal is the director for Sophos, ASEAN.