The enterprise cloud is, well, cloudy
Last night I watched a fantastic episode of This Week in Startups with guest Aaron Levie of Box.net. Aaron is a remarkable young CEO who really seems to understand and care about enterprise software, which is a rare combination.
One of the themes of the interview was that CIOs and IT departments at large organizations are starting to embrace the cloud. Jason and Aaron discussed “bottom up” adoption of cloud-based software in the enterprise. Essentially, lower-level employees start using their favorite applications like DropBox or Evernote at work and the apps become so widespread and integral to collaboration that IT managers and CIOs adopt the technology officially.
They talked about how big Fortune 500 companies are starting to develop or acquire cloud solutions to put in their portfolios (e.g., Oracle buys RightNow, SAP buys SuccessFactors). Cloud, cloud, cloud.
Then, about 23 minutes into the interview, the elephant in the room rears it’s giant head: what about security?
Even the most progressive enterprises, Aaron remarks, have the philosophy: use any device you want (Mac, PC, iPhones), use any software you want, but secure the data at all costs.
They’d be foolish not to. We’re not talking about MP3s and funny cat photos. We’re talking about intellectual property, source code, patents, legal and HR documents, etc.
As the definition of “secure” evolves, every company is faced with hard decisions.
- Alice: “All of our critical data must stay within the company’s walls.”
- Bob: “But we if we can’t share and collaborate, the value of the data decreases substantially.”
- Alice: “OK, we have a VPN. Nothing leaves the VPN!”
- Bob: “But we need to email a contract to our lawyers, print this business plan for our VCs, and grant temporary access to our web agency.”
- Alice: “Fuuuuuuuu!”
So what’s the solution? We have to have a security model that fits today’s distributed work model. We can’t lock everything down lest we destroy efficiency.
Levie goes on:
We have to redefine what it means to be secure and what it means to manage security. Then you move more into this category where visibility is security. If I have far more visibility into where my data is, who’s using it, every access, every event on it — maybe it’s a little more open, but people will use the product and I’ll actually see what’s going on with the data.
Secure collaboration is something Varonis (the company I now work for) has been focused on for years. If you have complete visibility into who can access data and who is accessing data at all times, then you can facilitate collaboration while avoiding the front page of Wikileaks.
Complete visibility is not a trivial accomplishment given the enormous growth and fragmentation of data:
The number one challenge is actually the sprawl that gets created with organizations — the amount of apps and data that people are now consuming and interacting with and how unmanageable that is for IT.
Varonis has been the saving grace for many of the world’s biggest enterprises when it comes to securing unstructured data. Varonis monitors every single event across your entire IT infrastructure: every file open, rename, delete, copy. Every email sent, received, marked as unread, etc. This audit trail enables us to answer all sorts of critical questions (and helps us sleep at night):
- Who is looking at sensitive data?
- What data is stale and should be archived?
- Where can I reduce access?
- Who moved my files?
- Who’s abusing their access?
The biggest question I have for Aaron, Jason, and everyone else is how do you get visibility if your data is in the cloud? How do you audit access? How do you get visibility into who is accessing what data? Are Google and Amazon going to let us install Varonis on their infrastructure? When it comes to security the cloud is very, well, cloudy.
Photo credit: http://mp5gosu.deviantart.com/art/Cloudy-stormy-day-47828616
