Milan Kundera’s The Unbearable Lightness of Being opens with a philosophical discussion of lightness versus heaviness—and the paradox described in the book’s title. What follows from the assumption that a person may choose only one path in life, weighing one against the other, is the question, is lightness splendid and weight a burden, or does meaning only come from weight? In many ways this is akin to the existential struggle enterprises find themselves in when considering the adoption and implementation of new technologies. In this scenario, lightness includes things like Bring Your Own Device (BYOD), the Internet of Things (IoT) and consumerization. Heaviness, on the other hand, is regulatory compliance, external threats and control.

The first path offers boundless productivity but a lack of centralized control; the latter offers attestable security but a lack of agility.

Although many employees understand that the workplace, including the equipment and applications used to carry out their jobs, are provided and sanctioned by their employer, the work environment nevertheless remains a kind of extension of personal space. Fewer jobs recognize set hours, and the office is as likely to be the kitchen table as the cubicle. Laptops are used for both work and personal browsing; smartphones are used to communicate with coworkers, customers, friends and family; productivity applications share space with games. As such, monitoring that space is seen as evidence of mistrust.

At the 2014 IAPP Privacy Academy & CSA Congress, Adallom CEO Assaf Rappaport will present a talk entitled “The Unbearable Lightness of SaaS” which will tackle the above in the context of SaaS adoption juxtaposed with the reality that many of the existing status quo controls become irrelevant:

• Endpoint protection can’t be relied upon because at least one user will access the SaaS application from an unmanaged device.
• Network or perimeter defenses, like firewalls, don’t have control over what they can’t see, and since at least one user will access a SaaS application through an insecure or “public” network, such as a mobile phone carrier, the connection will happen outside the purview of firewalls.

This “SaaS security gap” has opportuned a new breed of solutions called “Cloud Access Security Brokers” (CASBs), which Gartner defines as “security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”

These services primarily rely on observational capabilities, through various methods such as proxies, agents and APIs, in order to enable attestation, enforce policy and provide security.

However, there is an intimacy associated with observation; as social creatures, we vary our behavior (and its expression through language) according to social context. For example when we are aware of cameras they create a kind of ambiguous social context and, thus, discomfort. But in a situation such as a parking garage late at night, cameras may provide a sense of security that comes from the knowledge that an otherwise empty space is being monitored—that there is someone behind the lens standing by should something malicious happen.

Several questions then arise: What security and privacy structure allows a company to benefit from the very real safety that monitoring employee activities may provide, without creating an uncomfortable “heavy” or even Orwellian environment? Further, what should the enterprise do with the information recorded, as far as storage, sharing, secondary use and disposal? Finally, do these records then become subject to view by government entities?

Enterprise SaaS adoption is an estuary; a transition zone between the contained rivers of legacy IT, and the vast, effectively unconstrained ocean that is the cloud. It stands to reason that we must protect our users and data when they leave the perimeter. However, there are two pillars we must consider:

• Employees must be cognizant that they are being monitored, and therefore, it is important for them to understand why they are being monitored and exactly what information is being seen and kept by their employer. In other words, they must be part of the larger security discussion.
• Security and compliance controls should never impact, and ideally should enhance, the productivity of users and the agility of the business. Given the option to park in a garage with a security guard and cameras or one without, which would you choose? It’s crucial to focus on the utility and benefit to the user.

Nurturing healthy privacy, security and compliance functions is a balancing act. Integration of these three areas can result in conflicting missions, whereas decoupling them can make it difficult to ensure a cohesive cloud strategy. Good security posture is now considered a competitive differentiator in the market, and we anticipate this trend to rise as trust becomes an ever more pronounced factor in purchasing decisions.

SaaS is here to stay.

Each company must find its own balance, calibrated according to its organizational structure—provided they are in line with the two pillars above, unbearable though it may seem at times, we must, as enablers and defenders, find a way to make IT both “light” and meaningful if we want our companies to continue being.

photo credit: kevin dooley via photopin cc