Visibility Requirements for Enterprise Cloud Security

Cloud Service Visibility

The days of a traditional enterprise network with all assets and applications inside a protected perimeter are long gone. Now a hybrid cloud, consisting of infrastructure, assets and applications both inside and outside of the physical enterprise, is the norm. In particular, the direct interaction between a company and its partners, customers and information suppliers outside the firewall creates a need for security that extends to this hybrid cloud.

To achieve cloud security objectives, a company must have extensive visibility into how its applications and data interact with each other in the cloud. Application Programming Interface ( API) usage in particular is the essential component to watch, because of the high dependence of application-to-application traffic on API-based interactions.

This paper describes the requirements for achieving cloud service visibility, focused on the essential API messages, as a core component of a company’s cloud security initiatives.

Applications in the Hybrid Cloud

Cloud-based application-to-application interaction creates a need for the same IT governance, including security, visibility, access control, analytics and performance management, that companies have depended on internally. The problem is that in most companies, hybrid cloud interaction has grown so fast that security and IT teams are not even aware of all the applications and services in use, much less in control of the data entering and leaving the organization.

The most critical cloud interactions are those directly between applications, tied to essential business processes. Because business-critical data stores are directly impacted by cloud transactions, the security and compliance implications are profound.

Figure 1 – The most critical cloud connections are between business-partner applications.

Examples of cloud business transactions include:

  • Insurance claims processes, with a workflow handed from a customer agency to a claims processor to a partner validating costs and on to another partner paying the provider
  • Customer engagement systems, with software-as-a-service marketing apps passing records via API to internal apps and customer record databases
  • Loan processing, with multiple steps of record checking, application verification, credit analysis and funding all passed via APIs between companies connected in a hybrid cloud

Shadow IT

Much attention is focused on the concept of shadow IT, where individual employees and business units bypass the standard IT functions to directly utilize outside services. While the obvious components of shadow IT are the individual desktops using cloud storage to save and exchange files, or using consumer services as part of their work tasks, these are not the most critical in terms of enterprise security. Cloud business transactions, as described above, have a much larger risk than individual web desktop users. And while IT policy can shut down use of consumer applications like Dropbox, if a business unit has established applications in the cloud, IT is not in a position to shut them off. The role of the security and IT teams in an enterprise is to facilitate agile business, not prevent it. So IT needs a way to discover, control and incorporate shadow IT applications within its governance model.

Figure 2 – The highest vulnerability is application to application, more than individual to SaaS.

APIs Are Critical to Cloud Security

Application programming interfaces are the glue that connects enterprises to the cloud. While they may not know it, IT teams are already surrounded by API traffic. The successor to web services deployed for internal use over the past decade, APIs have made the communication between applications so much simpler to develop, test and deploy that their use has exploded for publishing services across company boundaries. APIs are now the preferred method for applications to communicate directly in the cloud, whether provisioning storage (Amazon), reading customer records ( or running tens of thousands of other applications published as services between business partners. But because they provide a front end to internal business apps and databases of record, APIs can pose a significant security risk. Controlling cloud security starts with knowledge and control of API connections in and out of the enterprise.

Security Impact of Shadow IT

Growth of shadow IT with no security or IT departmental visibility leads to three problems:

1.Unknown security posture – It’s hard to know what your security is if you don’t know what is being used by your organization.
2.Risk of audit failures – Lack of visibility drives the risk of an audit failure when an auditor discovers use of a service whose compliance can’t be demonstrated.
3. Proliferation of APIs – An accidental enterprise IT architecture that results from shadow IT often leads to using disparate services for the same purpose. For example, it is not uncommon to see multiple cloud storage solutions being used across departments.

Requirements for Cloud Service Discovery

A new class of security software, designed to give IT operations and security teams visibility into API-based cloud activity, helps meet these demands. The basic requirements for gaining cloud service visibility include:

  • App-to-app visibility. The most important requirement is deep visibility of the API communications between applications. This is more important than high-level tracking of individuals using cloud services. IT must be able to see details of exactly what data is exchanged via API in the cloud.
  • Inbound and outbound. Requests and responses flow both ways. It is not enough to see internal users touching cloud services; IT must see external systems initiating API requests to resources inside the firewall, detecting both valid and suspicious requests. While shadow IT monitoring is sufficient for a statistical view of API traffic to SaaS applications, the real vulnerability comes from external entities using an API as an entry to internal networks.
  • Passive monitoring. “Look but don’t touch” says it all. Before IT can start making changes, it first needs to just observe without any potential impact on existing production. Active monitoring solutions can be a second step for gathering more detailed data, but active data capture requires changes to the architecture and data flow. Passive monitoring can be accomplished without requiring cooperation of the entire organization and production changes.
  • Fast and simple. Systems that require architectural changes, or that impose new tasks and changes on development teams, will not be implemented in time. If it takes consultants and Integration programs just to see the size of the problem, it’s probably too complex.
  • Permanent records. Finally, for regulated industries including healthcare and finance, keeping an archive record of message exchanges is a necessity. If you save your email traffic, you certainly need to save the server-to-server API exchanges. Archiving API traffic, in its entirety or selectively, helps in the security audit by giving a definitive answer as to what communications take place with the cloud. It also gives a traceable record for forensic analysis, allowing you to re-create a sequence in the event a detailed security investigation is required.

Managed Methods Cloud Service Discovery

Cloud Service Discovery from Managed Methods is for security and IT teams to find and analyze the critical business-to-business data flows between their enterprise and the cloud. In its Free version, it gives quick visibility of cloud API exchanges, simply and at no cost.
For IT teams grappling with the expansion of cloud services, and security teams needing a deep view of application flows in shadow IT, download a free copy from 

Be sure to read the next Security article: The Naked Truth About Internet Security