Once an abstract and futuristic concept, the cloud has now extended its very tangible tendrils into nearly all aspects of the modern enterprise. In fact, the abundance of cloud options that organizations enjoy today has become somewhat of a liability, with information security leaders struggling to juggle varied security capabilities across multiple platforms. There’s no silver bullet solution for these growing pains, but platform security posture management (or PSPM) can provide a strong security foundation, helping to identify and mitigate vulnerabilities before bad actors can take advantage of them.
Organizations have been relying on disparate cloud ecosystems for years, and research from 2019 put the average number of cloud services at 1,295 per enterprise. That number is only going to grow, according to Flexera’s 2021 State of the Cloud Report. When asked about cloud usage and the coronavirus, 90% of respondents expect the pandemic to increase their reliance on the cloud, with 29% reporting it would be significantly greater than planned.
Even individual solutions are constantly changing, and an organization might completely overhaul the way it uses a tool over time. For instance, companies often implement Salesforce as a simple customer relationship management system for sales teams (and set security configurations as such), but other departments (such as customer service and even IT) start to take advantage of the software, turning it into a mission-critical platform. It’s up to your organization to reflect that evolution with security changes and updates.
A Shared Security Burden
According to one study, around 60% of security professionals worldwide still have an incomplete grasp of the shared responsibility security model. Salesforce is responsible for securing its own platform, of course, but the company can’t possibly make sure its more than 150,000 customers are taking all the necessary precautions and configuring their security settings correctly — and most of them aren’t. Whether giving access privileges to guest users or having far too many administrators is to blame, Gartner estimates that 99% of all cloud security failures through 2025 will be the fault of the customer and not the provider — illustrating the magnitude of the problem.
It’s easy to see how security cracks emerge. Mission-critical cloud platforms have dozens of security settings, and an organization might rely on hundreds of them. Because the context around an application’s usage will almost inevitably change over time, security settings must be revisited regularly to ensure the proper adjustments are made. It’s a tall order, but platform security posture management is nonnegotiable for organizations that take security seriously. To get started on your own ongoing security journey, there are a couple of steps you can take.
First, audit your system thoroughly. Cloud adoption has been on a steep upward trajectory since the technology emerged, and the pandemic only increased the pace of cloud implementations. In this environment, you might be using software-as-a-service, platform-as-a-service, infrastructure-as-a-service, or a combination of these solutions, and each will need to be examined closely to ensure you know how it’s being used. Salesforce is often labeled as a SaaS CRM, but its features and flexibility mean that it frequently evolves into a PaaS that houses data from every department in an organization. Part of PSPM is noting that evolution and updating security configurations to reflect the solution’s status as a platform instead of an isolated piece of software.
Second, denote responsibilities clearly. In a large organization, there’s bound to be some degree of overlap between positions, and in most cases, somebody takes care of those amorphous responsibilities. When dealing with security, however, it’s important to remove ambiguity wherever possible. Identify key stakeholders in your organization; that might include the chief information security officer, a designated PSPM task force, and/or an independent cloud security management firm. Make sure that each individual is clearly aware of their role in the broader PSPM mission.
Cloud providers such as Salesforce have invested fortunes in robust security measures that protect platforms and their users from threats. However, data ultimately shows that the biggest security threat cloud users face is their own carelessness. Shoring up cloud security is a matter of putting in the work, and PSPM is the foundation of this effort.
Brian Olearczyk focuses on customer success for clients of RevCult. His perspective is informed by working with the most complex organizations in the world on data governance.