SlideShare a Scribd company logo

o-palerra-ROI-QuantifyCASB-WP

E
Eric Opp

1) A CASB can help quantify its value by calculating the potential financial costs of non-compliance, lost intellectual property, and damage to brand reputation from a security incident. It also reduces security costs by automating processes that traditionally require expensive cybersecurity expertise. 2) To prioritize cloud security spending, an organization should align it with cloud-enabled business objectives and cost savings. The cost of a CASB is small compared to the financial benefits realized from cloud adoption. 3) A CASB automates security tasks like incident detection and response, reducing the time and money spent on manual processes. This lowers costs associated with investigating and containing breaches.

1 of 7
Download to read offline
1
2
3
4
5
6
7
WHITE PAPER Working the Numbers: How to Quantify the Value of a Cloud Access Security Broker (CASB)
2 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com The Elusive Security ROI It is challenging to measure return on investment (ROI) for information security (InfoSec) technology. Enterprises usually treat InfoSec technology as an insurance policy against the potentially devastating costs of not deploying it. From that perspective, your security technology ROI can be determined by the time it takes for a breach to occur that has cost consequences that are equal to or greater than your investment. Your ROI could be immediate. Or it could be longer term. With that in mind, it is hard to justify yet another security technology, but a move to the cloud suggests that you should. If you are leveraging cloud technology today, you are likely doing it because it enables your enterprise to be more agile and competitive while saving significant costs. However, there are risks associated with these benefits. Getting new capabilities quickly is worth far less if it means cracking a hole in your security armor that results in industry compliance violations and fees, loss of intellectual property, loss of customer data, and damage to your reputation, brand, and future business. Whether you are leveraging the cloud for Software as a Service (SaaS), Infrastructure as a Service (IaaS), and/or Platform as a Service (PaaS), cloud security is a mandatory cost of doing business. On June 15, 2016, Gartner issued this press release: “Gartner Identifies the Top 10 Technologies for Information Security in 2016,” and included Cloud Access Security Brokers (CASBs) at the top of that list. Not protecting your data and IP in the cloud is not an option. Knowing that an ROI for a CASB could be longer term, how do you quickly quantify additional value of a CASB so you can make sure it gets a high priority in your already stretched InfoSec budget? This paper helps you to build a business case by walking you through the cost considerations and payback of a CASB. The paper will demonstrate that a CASB provides stronger cloud protection at a lower cost than traditional security processes and tools. Why CASBs are Mandatory Let’s take a look at why you need a CASB: 1. The rise of SaaS is no longer a surprise—it’s pervasive. The Cisco Global Cloud Index reports that by 2018, 58% of all cloud workloads will be Software as a Service (SaaS). Even the financial services sector, long considered a laggard in SaaS adoption, now uses SaaS for 42% of its apps. Equally important, employees are using unsanctioned cloud applications (applications that are installed without the knowledge or permission of your IT group) at an alarming rate. 2. Adoption of IaaS is growing rapidly. IaaS is considered the fastest-growing cloud services market. AWS did close to $8B in revenue in 2015, and the market as a whole is forecast to reach $22.4B in 2016. Many enterprises are moving their entire infrastructure to the cloud. For example, GE made a strategic decision to be “100 percent public cloud.” Working the Numbers: How to Quantify the Value of a Cloud Access Security Broker (CASB) Access the CASB ROI Business Case Worksheet to assist you with implementing the suggestions in this white paper. Download Worksheet
3 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com 3. The network perimeter has eroded. Your employees use smartphones and tablets and work at remote locations around the globe. Gartner predicts that by 2017, 50% of employers will require BYOD. And Cisco believes that there will be a 73% growth in mobile devices from 2014 to 2018. Combine these facts with an estimated 86% of all workloads in the cloud by 2019, and it is reasonable to assume that a high percentage of corporate apps and data interactions are being done by unmanaged users and devices. 4. You can’t hire your way out of this problem. The top-paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That tops the salary for a CSO, which is $225,000. And these professionals are an increasingly scarce resource. In 2014, the Cisco Annual Security Report warned that the worldwide shortage of InfoSec professionals was at 1,000,000. Michael Brown, former CEO at Symantec, expects that to rise to 1.5M by 2019. The evidence is mounting that people- centric approaches won’t work. Massive adoption of cloud services means that they are the new norm for holding mission critical enterprise data, IP, and other assets. Because of that, cloud services are now the target of outside hackers and suspect insiders. Securing your growing cloud services with traditional tools and cybersecurity professionals has grown, at best, unwieldy, requiring integration and management of 20 or more different security products. In practical terms, success with this approach is nearly impossible because of the time and cost associated with traditional, manual forensics and a dearth of skilled labor. A CASB uses machine learning and automation to provide a critical control point for the secure and compliant use of cloud services across multiple providers. Centered around delivering visibility, compliance, data security, and threat protection, a CASB should include integration with your existing enterprise security solutions such as Security Information and Event Management (SIEM), Identity as a Service (IDaaS), and Next Generation Firewalls (NGFW). Instead of relying on manual processes for identifying and remediating risk, the CASB does it for you—saving significant time and eliminating human error. Getting Cloud Security into your Budget To prevent cloud security from falling through the cracks, your enterprise IT or security budget needs line items for security for both applications (SaaS) and infrastructure (IaaS). Some companies rank security projects according to their value, so it’s important to calculate the value of cloud security and prioritize it relative to other IT and network security projects. Here are a few ways to place value on cloud security:  Calculate the financial exposure of not having a CASB a. Compliance violations b. Lost intellectual property c. Damage to your brand  Align cloud security spending with business objectives  Calculate cost savings for cybersecurity expertise through automation
4 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com The first item above, is “insurance”—that is, the value is realized when you avoid the problem. The second item is based on the business case that you built when you moved to the cloud, versus the annual cost of implementing a CASB to provide security for your cloud investment. The third demonstrates the dollar savings for skilled cybersecurity professionals. Demonstrate the Financial Exposure of Not Having a CASB There are numerous regulatory and compliance requirements that enterprises need to follow as a course of doing business. When found in violation of these requirements, huge fines and damage to brand reputation can result. In addition, breaches from both external and internal sources can result in IP and data theft, causing equity loss and fees from potential lawsuits. The cost of technology compliance violations, damages to brand and reputation, and the loss of future business can be substantial. It’s important to calculate and include in your CASB business case the savings associated with the following: n COMPLIANCE VIOLATIONS. A number of industries have general compliance regulations about using technology safely in ways that minimize the risk of customer or patient data being compromised. A CASB imposes controls on cloud usage to ensure compliance with specific industry regulations such as HIPAA for the healthcare industry. The data below shows current average penalties that a breach of patient information can incur under the Healthcare Insurance Portability and Accountability Act (HIPAA): HIPAA Violation Average Costs Health and Human Services (HHS) fine up to $1.5 million/violation/year Federal Trade Commission fines $16,000/violation Class action lawsuits $1,000/record State attorney generals $150,000 – $6.8 million Note that some IaaS offerings, such as Amazon Web Services (AWS), offer compliance options with their services. These are intended to help keep you in compliance with your industry requirements, but they do not set compliant configurations on your behalf. You must review their instructions and do it yourself. And the compliance setups pertain only to the IaaS cloud infrastructure, not to who accesses the data. Compliance rules and capabilities can instead be built into the CASB and automated so that you are fully compliant and avoid these penalties. n LOST INTELLECTUAL PROPERTY. People are starting to trust the cloud with their intellectual property (IP), so they need the same levels of security controls whether data resides in the cloud or on their premises. A pharmaceutical company might be developing the next generation of drugs or a car manufacturer might be designing the next innovation in vehicle safety. Customer data is also a valued asset. In general, equity losses can be nearly inestimable if trade secrets, patents, intellectual capital, and other corporate-sensitive data are stolen. n DAMAGE TO YOUR BRAND. This happens when news of a breach is publicized and customers and partners get cold feet about the safety of doing business with the enterprise. The Ponemon Institute estimates that $239,000 in hourly losses can be attributed to reputation damage and churn.
5 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Align Cloud Security Spending with Business Objectives One of the best ways to get your cloud security budget approved is to align cloud security spending with business objectives. Your enterprise is leveraging the cloud today because it enables one or more major business objectives, most likely having to do with improved agility and cost savings. You need to make a business case that cloud security expenses are minimal compared to the value that the organization receives from the cloud, and emphasize that cloud security is mandatory to ensure that agility and cost savings (your business objectives) can be realized. There’s a good chance that you already have a business case for moving to the cloud. Here is an example of a cloud business case from GE Oil Gas to demonstrate their cost and operational benefits of moving to AWS. In this example, GE was able to demonstrate a $14M year-over-year savings. While not every company has that type of savings, chances are your company is enjoying tremendous savings from the cloud. If you have an existing cloud business case like GE’s with an annual savings number, use it. If not, you can calculate the value of the cloud for your enterprise. What can you do using cloud services that you wouldn’t otherwise be able to do? What cost savings are you able to realize? Next, you need to calculate the cost to implement and maintain a CASB. A CASB vendor can help assess your environment and requirements. Be sure to ask the vendor to let you trial a CASB proof of value at no cost. Palerra is an example of a CASB who would be happy to work with you on this assessment. Once you have analyzed the value and the cost, subtract the cost of the CASB from the cloud business case. Cloud security can be easily justified when measured against the advantages of the cloud. You will be able to demonstrate that the cost of a CASB (which is a mandatory control to ensure that you achieve your business objectives) is a fraction of the benefits that you will realize from the cloud. Business Agility 77% faster to deliver business applications Rapid experimentation Reduced technical debt Streamlined MA activity Operational Resilience 98% reduction in P1/P0’s Improved security posture 15 cloud services created Improved performance Cost Avoidance 52% average TCO savings 80% cloud first adoption Workforce Productivity 15 automated bots developed 8 cloud migration parties Shift to self-service culture DevOps in Practice Operational Costs 35% reduction in compute assets (792) 50 applications decommissioned $14M YOY Savings $14.2M Investment 18 Months Focus 311 Apps in Cloud $14M YOY Savings PROGRESS
6 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Demonstrate Cost Savings for Cybersecurity Expertise Through Automation A CASB can automate the detective work (forensics) related to cloud-related security incidents, accelerating completion of the work from weeks or months to mere minutes. There are generally four phases of forensics: 1. Data aggregation from multiple cloud providers 2. Analysis of the aggregated data, such as comparing events against known threats, finding patterns of deviation, and identifying the most likely causes of an incident 3. Prioritization of the data gathered into actionable recommendations 4. Remediation (taking action) Traditional approaches to these four forensic steps place a heavy emphasis on manual labor, while CASBs shift the emphasis to codifying events, outcomes, and actions in software. Also note that when human operators analyze, prioritize, and act on events, there is significant time involved up front in learning about the cloud parameters. On average, it takes 2-3 weeks for an engineer to learn security parameters, and it might be months before a typical engineer has learned them all. People cost money. An average salary for a security software engineer is $233,333 according to the job board that was cited earlier in this paper. And people are slower and more error-prone than automated systems. According to a Ponemon study, the mean time to identify (MTTI) a data breach is 201 days (with a range of 20-569 days), and the mean time to contain (MTTC) is 70 days (with a range from 11-126 days). That’s a total of 2168 hours at $112 per hour, or $242,816 for just one breach. A CASB with sophisticated automation capabilities can cut this cost by 20% to 80%, depending on the number of cloud providers and number of cloud services in use with each provider. Summary As new risks to the IT environment emerge, it’s critical for IT security budgets to account for these risks. Cloud services open up a wealth of capabilities and benefits, but they also introduce new risks that need to be mitigated. If you can determine the value of the cloud service(s) to your organization and subtract what it costs to secure it, you will be left with a net value of using those services. If the cost to own and maintain a solution or the cost of deterring a breach is greater than the value you derive from your cloud service, your enterprise computing expenses are out of balance. Automated systems like CASBs do a better job of securing cloud environments than traditional manual processes. The size and complexity of today’s attack surface makes it costly to identify, correlate, categorize, and act on anomalies. These costs are in both hourly forensic analyst wages and the amount of time a cloud service is vulnerable while humans attempt to secure it. If you find that a CASB aligns with your business objectives for doing business in the cloud, the next step is to find the CASB that’s as cost-effective as possible and provides the most comprehensive security you can get. Access the CASB ROI Business Case Worksheet to assist you with implementing the suggestions in this white paper. Download Worksheet
7 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Palerra LORIC™ , a Leading CASB Solution Not all CASBs are created equal, so it is important to carefully evaluate your alternatives before selecting a CASB partner. Palerra is the leader in CASB and cloud security automation securing both sanctioned and unsanctioned cloud applications. Unlike other CASB solutions, the Palerra LORIC platform provides visibility across the entire security lifecycle from infrastructure through applications, ensuring complete visibility and governance for all cloud services including IaaS, PaaS, SaaS. While other vendors use proxy modes that can result in performance degradation and compatibility issues, LORIC was natively built on an API architecture so there is no requirement for hardware, software, or agents. LORIC delivers a multi-mode CASB offering through integrations with leading in-line solutions including Secure Web Gateways (SWG), Next-Generation Firewalls (NGF), Identity as a Service (IDaaS), Data Loss Prevention (DLP), and Security Information and Event Management (SIEM). CASB ■ Visibility ■ Compliance ■ Data Security ■ Threat Protection Enterprise Security Integration API Access Direct Cloud Service Access MOBILE USERS AND DEVICES INSIDE PERIMETER ENTERPRISE SIEM IDaaS NGFW DLP MDM IaaS PaaS SaaS • Palerra LORIC • Palerra LORIC Discovery Receive a free demonstration and assistance with completing this worksheet Free Demo Copyright © 2016, Oracle and/or its affiliates. All rights reserved.

More Related Content

PDF
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
DivvyCloud
 
PDF
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Dana Gardner
 
PDF
Asset 1 security-in-the-cloud
drewz lin
 
PDF
Fy17 sec shadow_it-e_book_final_032417
Основна школа "Миливоје Боровић" Мачкат
 
PDF
Law firms keep sensitive client data secure with CloudMask
CloudMask inc.
 
PDF
Protect your confidential information while improving services
CloudMask inc.
 
PDF
Cyber security basics for law firms
Robert Westmacott
 
PPTX
Data Breach from the Inside Out
The Lorenzi Group
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
DivvyCloud
 
Identity and Access Management as a Service Gets Boost with SailPoint's Ident...
Dana Gardner
 
Asset 1 security-in-the-cloud
drewz lin
 
Fy17 sec shadow_it-e_book_final_032417
Основна школа "Миливоје Боровић" Мачкат
 
Law firms keep sensitive client data secure with CloudMask
CloudMask inc.
 
Protect your confidential information while improving services
CloudMask inc.
 
Cyber security basics for law firms
Robert Westmacott
 
Data Breach from the Inside Out
The Lorenzi Group
 

What's hot (20)

PPTX
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Prime Infoserv
 
PDF
Big Data Dectives
- Mark - Fullbright
 
PDF
Ten top tips on keeping your business secure
BurCom Consulting Ltd.
 
PDF
Arc Sight Info Documents 7 2009
mattdriscoll
 
PDF
The cost of downtime
BillyHosking
 
PDF
Global Security Certification for Governments
CloudMask inc.
 
PDF
Should we fear the cloud?
Gabe Akisanmi
 
PDF
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Martin Ruubel
 
PDF
10 Tips for CIOs - Data Security in the Cloud
Peak 10
 
PPTX
Identity Management for the Cloud
Horst Walther
 
PDF
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
PDF
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
PDF
Securing sensitive data for the health care industry
CloudMask inc.
 
PDF
br-security-connected-top-5-trends
Christopher Bennett
 
PPT
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
PPTX
Csa summit argentina-reavis
CSA Argentina
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
PDF
Networkers cyber security market intelligence report
Simon Clements FIRP DipRP
 
PPTX
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
 
PDF
Improving Cloud Visibility, Accountability & Security
Doug Copley
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Prime Infoserv
 
Big Data Dectives
- Mark - Fullbright
 
Ten top tips on keeping your business secure
BurCom Consulting Ltd.
 
Arc Sight Info Documents 7 2009
mattdriscoll
 
The cost of downtime
BillyHosking
 
Global Security Certification for Governments
CloudMask inc.
 
Should we fear the cloud?
Gabe Akisanmi
 
Cloud Insecurity and True Accountability - Guardtime Whitepaper
Martin Ruubel
 
10 Tips for CIOs - Data Security in the Cloud
Peak 10
 
Identity Management for the Cloud
Horst Walther
 
Perspec sys knowledge_series__solving_privacy_residency_and_security
Accenture
 
Forcepoint Dynamic Data Protection
MarketingArrowECS_CZ
 
Securing sensitive data for the health care industry
CloudMask inc.
 
br-security-connected-top-5-trends
Christopher Bennett
 
Presentation to Irish ISSA Conference 12-May-11
Michael Ofarrell
 
Csa summit argentina-reavis
CSA Argentina
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Networkers cyber security market intelligence report
Simon Clements FIRP DipRP
 
TECHNOLOGY 101 AND THE PRACTICE OF LAW: KEEPING YOUR FIRM SAFE
James Wier
 
Improving Cloud Visibility, Accountability & Security
Doug Copley
 
Ad

Viewers also liked (9)

PPT
1002宜蘭縣網部落格見面會
bell5
 
PDF
Untitled Presentation
Jocelyn Griselda Palacios
 
PPTX
Mule splitters
Karnam Karthik
 
PPTX
Mule java part-4
Karnam Karthik
 
PDF
twelth marksheet
Ashim Maji
 
DOC
ISLAM 2015 cv
islam abu hatab
 
PPTX
Jms topics
Karnam Karthik
 
PPTX
101.2植物的有性生殖
bell5
 
PPTX
CASBs: Critical Capabilities - in partnership with ISC(2)
Bitglass
 
1002宜蘭縣網部落格見面會
bell5
 
Untitled Presentation
Jocelyn Griselda Palacios
 
Mule splitters
Karnam Karthik
 
Mule java part-4
Karnam Karthik
 
twelth marksheet
Ashim Maji
 
ISLAM 2015 cv
islam abu hatab
 
Jms topics
Karnam Karthik
 
101.2植物的有性生殖
bell5
 
CASBs: Critical Capabilities - in partnership with ISC(2)
Bitglass
 
Ad

Similar to o-palerra-ROI-QuantifyCASB-WP (20)

PDF
Cybersecurity in the Cloud: Safer Than You Think
Appian
 
PDF
Cashing in on the public cloud with total confidence
CloudMask inc.
 
PDF
10 Tips for CIOS Data Security in the Cloud
Iron Mountain
 
PDF
CLOUD BASED SERVICES EX.pdf
Neeraj Kumar
 
PDF
SMACIC_Clean
Assad Jees
 
PDF
New Era in Insurance - Cloud Computing
NIIT Technologies
 
PDF
bishu pdf1
Bishwanth Konathala
 
PDF
The case for on-premises AI
Principled Technologies
 
PDF
8 major facts you must know before you buying a casb
ciphercloud1
 
PDF
Secure Computing in Enterprise Cloud Environments
Shaun Thomas
 
PPTX
CLOUD SECURITY IN INSURANCE INDUSTRY WITH RESPECT TO INDIAN MARKET
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
PDF
How You can Leverage Cloud Platforms to Transform Digital Experience
Alaina Carter
 
PDF
How CIOs should make Cloud investment - InfotechLead
Arup Das
 
PDF
Myths About Cloud Computing
Go4hosting Web Hosting Provider
 
PDF
The benefits of cloud technology for remote working
Abaram Network Solutions
 
PDF
The benefits of cloud technology for remote working
Abaram Network Solutions
 
PDF
Cloud service providers in pune
Anshita Dixit
 
PDF
The Secure Path to Value in the Cloud by Denny Heaberlin
Cloud Expo
 
PDF
The Myths of the Cloud are Holding Businesses Back
Ben Jones
 
PPTX
Not Using Cloud? 5 Stats Show You're Already Behind
Avni Rajput
 
Cybersecurity in the Cloud: Safer Than You Think
Appian
 
Cashing in on the public cloud with total confidence
CloudMask inc.
 
10 Tips for CIOS Data Security in the Cloud
Iron Mountain
 
CLOUD BASED SERVICES EX.pdf
Neeraj Kumar
 
SMACIC_Clean
Assad Jees
 
New Era in Insurance - Cloud Computing
NIIT Technologies
 
bishu pdf1
Bishwanth Konathala
 
The case for on-premises AI
Principled Technologies
 
8 major facts you must know before you buying a casb
ciphercloud1
 
Secure Computing in Enterprise Cloud Environments
Shaun Thomas
 
CLOUD SECURITY IN INSURANCE INDUSTRY WITH RESPECT TO INDIAN MARKET
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
How You can Leverage Cloud Platforms to Transform Digital Experience
Alaina Carter
 
How CIOs should make Cloud investment - InfotechLead
Arup Das
 
Myths About Cloud Computing
Go4hosting Web Hosting Provider
 
The benefits of cloud technology for remote working
Abaram Network Solutions
 
The benefits of cloud technology for remote working
Abaram Network Solutions
 
Cloud service providers in pune
Anshita Dixit
 
The Secure Path to Value in the Cloud by Denny Heaberlin
Cloud Expo
 
The Myths of the Cloud are Holding Businesses Back
Ben Jones
 
Not Using Cloud? 5 Stats Show You're Already Behind
Avni Rajput
 

o-palerra-ROI-QuantifyCASB-WP

  • 1. WHITE PAPER Working the Numbers: How to Quantify the Value of a Cloud Access Security Broker (CASB)
  • 2. 2 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com The Elusive Security ROI It is challenging to measure return on investment (ROI) for information security (InfoSec) technology. Enterprises usually treat InfoSec technology as an insurance policy against the potentially devastating costs of not deploying it. From that perspective, your security technology ROI can be determined by the time it takes for a breach to occur that has cost consequences that are equal to or greater than your investment. Your ROI could be immediate. Or it could be longer term. With that in mind, it is hard to justify yet another security technology, but a move to the cloud suggests that you should. If you are leveraging cloud technology today, you are likely doing it because it enables your enterprise to be more agile and competitive while saving significant costs. However, there are risks associated with these benefits. Getting new capabilities quickly is worth far less if it means cracking a hole in your security armor that results in industry compliance violations and fees, loss of intellectual property, loss of customer data, and damage to your reputation, brand, and future business. Whether you are leveraging the cloud for Software as a Service (SaaS), Infrastructure as a Service (IaaS), and/or Platform as a Service (PaaS), cloud security is a mandatory cost of doing business. On June 15, 2016, Gartner issued this press release: “Gartner Identifies the Top 10 Technologies for Information Security in 2016,” and included Cloud Access Security Brokers (CASBs) at the top of that list. Not protecting your data and IP in the cloud is not an option. Knowing that an ROI for a CASB could be longer term, how do you quickly quantify additional value of a CASB so you can make sure it gets a high priority in your already stretched InfoSec budget? This paper helps you to build a business case by walking you through the cost considerations and payback of a CASB. The paper will demonstrate that a CASB provides stronger cloud protection at a lower cost than traditional security processes and tools. Why CASBs are Mandatory Let’s take a look at why you need a CASB: 1. The rise of SaaS is no longer a surprise—it’s pervasive. The Cisco Global Cloud Index reports that by 2018, 58% of all cloud workloads will be Software as a Service (SaaS). Even the financial services sector, long considered a laggard in SaaS adoption, now uses SaaS for 42% of its apps. Equally important, employees are using unsanctioned cloud applications (applications that are installed without the knowledge or permission of your IT group) at an alarming rate. 2. Adoption of IaaS is growing rapidly. IaaS is considered the fastest-growing cloud services market. AWS did close to $8B in revenue in 2015, and the market as a whole is forecast to reach $22.4B in 2016. Many enterprises are moving their entire infrastructure to the cloud. For example, GE made a strategic decision to be “100 percent public cloud.” Working the Numbers: How to Quantify the Value of a Cloud Access Security Broker (CASB) Access the CASB ROI Business Case Worksheet to assist you with implementing the suggestions in this white paper. Download Worksheet
  • 3. 3 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com 3. The network perimeter has eroded. Your employees use smartphones and tablets and work at remote locations around the globe. Gartner predicts that by 2017, 50% of employers will require BYOD. And Cisco believes that there will be a 73% growth in mobile devices from 2014 to 2018. Combine these facts with an estimated 86% of all workloads in the cloud by 2019, and it is reasonable to assume that a high percentage of corporate apps and data interactions are being done by unmanaged users and devices. 4. You can’t hire your way out of this problem. The top-paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That tops the salary for a CSO, which is $225,000. And these professionals are an increasingly scarce resource. In 2014, the Cisco Annual Security Report warned that the worldwide shortage of InfoSec professionals was at 1,000,000. Michael Brown, former CEO at Symantec, expects that to rise to 1.5M by 2019. The evidence is mounting that people- centric approaches won’t work. Massive adoption of cloud services means that they are the new norm for holding mission critical enterprise data, IP, and other assets. Because of that, cloud services are now the target of outside hackers and suspect insiders. Securing your growing cloud services with traditional tools and cybersecurity professionals has grown, at best, unwieldy, requiring integration and management of 20 or more different security products. In practical terms, success with this approach is nearly impossible because of the time and cost associated with traditional, manual forensics and a dearth of skilled labor. A CASB uses machine learning and automation to provide a critical control point for the secure and compliant use of cloud services across multiple providers. Centered around delivering visibility, compliance, data security, and threat protection, a CASB should include integration with your existing enterprise security solutions such as Security Information and Event Management (SIEM), Identity as a Service (IDaaS), and Next Generation Firewalls (NGFW). Instead of relying on manual processes for identifying and remediating risk, the CASB does it for you—saving significant time and eliminating human error. Getting Cloud Security into your Budget To prevent cloud security from falling through the cracks, your enterprise IT or security budget needs line items for security for both applications (SaaS) and infrastructure (IaaS). Some companies rank security projects according to their value, so it’s important to calculate the value of cloud security and prioritize it relative to other IT and network security projects. Here are a few ways to place value on cloud security:  Calculate the financial exposure of not having a CASB a. Compliance violations b. Lost intellectual property c. Damage to your brand  Align cloud security spending with business objectives  Calculate cost savings for cybersecurity expertise through automation
  • 4. 4 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com The first item above, is “insurance”—that is, the value is realized when you avoid the problem. The second item is based on the business case that you built when you moved to the cloud, versus the annual cost of implementing a CASB to provide security for your cloud investment. The third demonstrates the dollar savings for skilled cybersecurity professionals. Demonstrate the Financial Exposure of Not Having a CASB There are numerous regulatory and compliance requirements that enterprises need to follow as a course of doing business. When found in violation of these requirements, huge fines and damage to brand reputation can result. In addition, breaches from both external and internal sources can result in IP and data theft, causing equity loss and fees from potential lawsuits. The cost of technology compliance violations, damages to brand and reputation, and the loss of future business can be substantial. It’s important to calculate and include in your CASB business case the savings associated with the following: n COMPLIANCE VIOLATIONS. A number of industries have general compliance regulations about using technology safely in ways that minimize the risk of customer or patient data being compromised. A CASB imposes controls on cloud usage to ensure compliance with specific industry regulations such as HIPAA for the healthcare industry. The data below shows current average penalties that a breach of patient information can incur under the Healthcare Insurance Portability and Accountability Act (HIPAA): HIPAA Violation Average Costs Health and Human Services (HHS) fine up to $1.5 million/violation/year Federal Trade Commission fines $16,000/violation Class action lawsuits $1,000/record State attorney generals $150,000 – $6.8 million Note that some IaaS offerings, such as Amazon Web Services (AWS), offer compliance options with their services. These are intended to help keep you in compliance with your industry requirements, but they do not set compliant configurations on your behalf. You must review their instructions and do it yourself. And the compliance setups pertain only to the IaaS cloud infrastructure, not to who accesses the data. Compliance rules and capabilities can instead be built into the CASB and automated so that you are fully compliant and avoid these penalties. n LOST INTELLECTUAL PROPERTY. People are starting to trust the cloud with their intellectual property (IP), so they need the same levels of security controls whether data resides in the cloud or on their premises. A pharmaceutical company might be developing the next generation of drugs or a car manufacturer might be designing the next innovation in vehicle safety. Customer data is also a valued asset. In general, equity losses can be nearly inestimable if trade secrets, patents, intellectual capital, and other corporate-sensitive data are stolen. n DAMAGE TO YOUR BRAND. This happens when news of a breach is publicized and customers and partners get cold feet about the safety of doing business with the enterprise. The Ponemon Institute estimates that $239,000 in hourly losses can be attributed to reputation damage and churn.
  • 5. 5 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Align Cloud Security Spending with Business Objectives One of the best ways to get your cloud security budget approved is to align cloud security spending with business objectives. Your enterprise is leveraging the cloud today because it enables one or more major business objectives, most likely having to do with improved agility and cost savings. You need to make a business case that cloud security expenses are minimal compared to the value that the organization receives from the cloud, and emphasize that cloud security is mandatory to ensure that agility and cost savings (your business objectives) can be realized. There’s a good chance that you already have a business case for moving to the cloud. Here is an example of a cloud business case from GE Oil Gas to demonstrate their cost and operational benefits of moving to AWS. In this example, GE was able to demonstrate a $14M year-over-year savings. While not every company has that type of savings, chances are your company is enjoying tremendous savings from the cloud. If you have an existing cloud business case like GE’s with an annual savings number, use it. If not, you can calculate the value of the cloud for your enterprise. What can you do using cloud services that you wouldn’t otherwise be able to do? What cost savings are you able to realize? Next, you need to calculate the cost to implement and maintain a CASB. A CASB vendor can help assess your environment and requirements. Be sure to ask the vendor to let you trial a CASB proof of value at no cost. Palerra is an example of a CASB who would be happy to work with you on this assessment. Once you have analyzed the value and the cost, subtract the cost of the CASB from the cloud business case. Cloud security can be easily justified when measured against the advantages of the cloud. You will be able to demonstrate that the cost of a CASB (which is a mandatory control to ensure that you achieve your business objectives) is a fraction of the benefits that you will realize from the cloud. Business Agility 77% faster to deliver business applications Rapid experimentation Reduced technical debt Streamlined MA activity Operational Resilience 98% reduction in P1/P0’s Improved security posture 15 cloud services created Improved performance Cost Avoidance 52% average TCO savings 80% cloud first adoption Workforce Productivity 15 automated bots developed 8 cloud migration parties Shift to self-service culture DevOps in Practice Operational Costs 35% reduction in compute assets (792) 50 applications decommissioned $14M YOY Savings $14.2M Investment 18 Months Focus 311 Apps in Cloud $14M YOY Savings PROGRESS
  • 6. 6 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Demonstrate Cost Savings for Cybersecurity Expertise Through Automation A CASB can automate the detective work (forensics) related to cloud-related security incidents, accelerating completion of the work from weeks or months to mere minutes. There are generally four phases of forensics: 1. Data aggregation from multiple cloud providers 2. Analysis of the aggregated data, such as comparing events against known threats, finding patterns of deviation, and identifying the most likely causes of an incident 3. Prioritization of the data gathered into actionable recommendations 4. Remediation (taking action) Traditional approaches to these four forensic steps place a heavy emphasis on manual labor, while CASBs shift the emphasis to codifying events, outcomes, and actions in software. Also note that when human operators analyze, prioritize, and act on events, there is significant time involved up front in learning about the cloud parameters. On average, it takes 2-3 weeks for an engineer to learn security parameters, and it might be months before a typical engineer has learned them all. People cost money. An average salary for a security software engineer is $233,333 according to the job board that was cited earlier in this paper. And people are slower and more error-prone than automated systems. According to a Ponemon study, the mean time to identify (MTTI) a data breach is 201 days (with a range of 20-569 days), and the mean time to contain (MTTC) is 70 days (with a range from 11-126 days). That’s a total of 2168 hours at $112 per hour, or $242,816 for just one breach. A CASB with sophisticated automation capabilities can cut this cost by 20% to 80%, depending on the number of cloud providers and number of cloud services in use with each provider. Summary As new risks to the IT environment emerge, it’s critical for IT security budgets to account for these risks. Cloud services open up a wealth of capabilities and benefits, but they also introduce new risks that need to be mitigated. If you can determine the value of the cloud service(s) to your organization and subtract what it costs to secure it, you will be left with a net value of using those services. If the cost to own and maintain a solution or the cost of deterring a breach is greater than the value you derive from your cloud service, your enterprise computing expenses are out of balance. Automated systems like CASBs do a better job of securing cloud environments than traditional manual processes. The size and complexity of today’s attack surface makes it costly to identify, correlate, categorize, and act on anomalies. These costs are in both hourly forensic analyst wages and the amount of time a cloud service is vulnerable while humans attempt to secure it. If you find that a CASB aligns with your business objectives for doing business in the cloud, the next step is to find the CASB that’s as cost-effective as possible and provides the most comprehensive security you can get. Access the CASB ROI Business Case Worksheet to assist you with implementing the suggestions in this white paper. Download Worksheet
  • 7. 7 WHITE PAPER 3945 Freedom Circle Suite 560 Santa Clara CA 95054 /// 650 300 5222 /// info@palerra.com /// palerra.com Palerra LORIC™ , a Leading CASB Solution Not all CASBs are created equal, so it is important to carefully evaluate your alternatives before selecting a CASB partner. Palerra is the leader in CASB and cloud security automation securing both sanctioned and unsanctioned cloud applications. Unlike other CASB solutions, the Palerra LORIC platform provides visibility across the entire security lifecycle from infrastructure through applications, ensuring complete visibility and governance for all cloud services including IaaS, PaaS, SaaS. While other vendors use proxy modes that can result in performance degradation and compatibility issues, LORIC was natively built on an API architecture so there is no requirement for hardware, software, or agents. LORIC delivers a multi-mode CASB offering through integrations with leading in-line solutions including Secure Web Gateways (SWG), Next-Generation Firewalls (NGF), Identity as a Service (IDaaS), Data Loss Prevention (DLP), and Security Information and Event Management (SIEM). CASB ■ Visibility ■ Compliance ■ Data Security ■ Threat Protection Enterprise Security Integration API Access Direct Cloud Service Access MOBILE USERS AND DEVICES INSIDE PERIMETER ENTERPRISE SIEM IDaaS NGFW DLP MDM IaaS PaaS SaaS • Palerra LORIC • Palerra LORIC Discovery Receive a free demonstration and assistance with completing this worksheet Free Demo Copyright © 2016, Oracle and/or its affiliates. All rights reserved.