Protecting the cloud is mostly about protecting mobile devices, says Bitglass

Most cloud leaks stem from user error

"It's ironic," says Rich Campagna, CEO at cloud access security broker (CASB) Bitglass, "but cloud security has become mostly about mobile device protection. If there are 15,000 devices able to access your network and you don't own 10,000 of them, that's a problem."

Campagna is talking to us about the proliferation of the bring-your-own-device trend: a thorn in the side of many IT departments, who cannot manage security on personal computers and mobiles.

As the cloud has grown, so has the number of workers accessing sensitive company data through their own devices. Thankfully there have been massive investments in cloud security by vendors: Microsoft, for example, spends over $1 billion annually.

Those investments mean that the fears over massive, industry-wide hacks of cloud vendors' databases haven't materialised (yet). Instead, most of the threats that affect data in the cloud stem from human error: poor usage or insufficient configuration of apps. As an example, take the Amazon S3 bucket leaks, which stem from unsecured data stores. Even outages to the service have been caused by human error. Gartner has predicted that 95 per cent of cloud security failures by 2020 will be the customer's own fault.

"The cloud has fantastic flexibility and productivity tools, but these are what end up getting exploited - they are where people run into challenges," said Campagna. "The main security challenge is not securing the cloud itself, but its usage."

That is where CASBs come in. While cloud vendors are making huge security investments, these tend to target widespread threats that could affect the entire customer base; they don't protect against human error (although Amazon has recently started to alert users when they have an unsecured data store).

CASBs consolidate multiple security services, most of which are developed internally. They protect applications, and take a holistic view of an organisation's entire cloud footprint. This means that they can detect unusual activity, such as a user logging into Salesforce in San Francisco and Office 365 in London. "Those apps wouldn't see anything unusual, because they don't talk to one another; but a CASB would spot it," said Campagna. "We aim to be a single point of visibility and control."