1H 2016 Shadow Data Report - Blue Sky eLearnISC)2_082516_Martin... · 1H 2016 Shadow Data Report...
Transcript of 1H 2016 Shadow Data Report - Blue Sky eLearnISC)2_082516_Martin... · 1H 2016 Shadow Data Report...
Overview • Shadow Data Report
Speaker: Martin Johnson, Cloud Security Expert
• Recent Exploits Leveraging Cloud Apps and Services Speaker: Aditya Sood, PhD and Director of Security and Elastica Cloud Threat Labs at Blue Coat
• A Data Science Approach to Cloud Security
Speaker: Deena Thomchick, Cloud Security Expert
1H 2016 Shadow Data Report • Over 15K cloud apps analyzed,
categorized and rated for business readiness
• Over 108M cloud docs analyzed – Data from real world customers sharing data
in popular cloud apps, such as Box, Dropbox, Google Drive and Office 365
– Data is anonymized and aggregated to protect customer confidentiality
www.elastica.net/1h-2016-shadow-data-report
Full report available at:
Shadow IT Sanctioned vs. Unsanctioned Apps
Sanctioned Apps • Apps evaluated and approved by IT • Typically includes popular apps like
Office 365, Box, and Google Apps
Unsanctioned “Shadow IT” Apps • Apps adopted by employees and
business units without IT approval • Often includes consumer or unsecure
social or business apps
Shadow IT Controls Why do I need it? Use Cases
“We are a global company with 40K employees around the world. As a CIO/CISO, I need visibility into the scale and of shadow IT being used throughout the company to effectively plan my IT strategy.”
“As a CIO, I’m concerned that we are wasting money with users adopting multiple apps that have the same function or multiple accounts for the same app. How can I identify these inefficiencies so I can trim costs and simplify IT management?”
“My company has a lot of sensitive data stored in the cloud. As an IT manager, I need to know which users are the riskiest and may potentially leak that data.”
“As a Security Admin, I need to identify SaaS apps on my extended network that pose a risk to my company.”
Know Your Apps
Elastica tracks 15,000+ cloud apps and services shown here in 12 broad groups of app categories, by number of various apps within each category.
App Classification
Measuring App Risk How Business Ready Is That Cloud App?
• Blue Coat assigns a Business Readiness Rating (BRR) on a scale of 1-100 to each of 15,000+ cloud apps
• BRR is based on 60+ security attributes.
Measuring App Risk How Business Ready Is That Cloud App?
See BRR in action with our interactive widget at: http://www.elastica.net/brr-app
Measuring App Risk General Areas of Concern
99% of all business apps are not appropriate for corporate use
95% of business apps are not SOC 2 compliant
11% of business apps are still vulnerable to one or more major exploits (Heartbleed, FREAK, Poodle)
71% of business apps do not provide multi factor authentication (MFA)
Measuring App Risk Finance/Telecom/Education/etc.
87% of all business apps do not adequately encrypt data at rest or in motion • Places all sensitive data at risk,
Including PII, PCI (And PHI)
SEC Gets Tough $1.7-9.6M compliance fines for finance, telecom and education as US SEC increases penalties for leaking PII data.
Measuring App Risk Finance/Telecom/Education/etc.
Health Industry Information Portability and Accountability Act (HIPAA)
• Mandates industry-wide standards for
health care information on electronic billing and other processes
• Requires the protection and confidential handling of protected health information
50% of all business apps do not adequately protect PHI
Measuring Business Risk Fortress Europe
General Data Protection Regulation (GDPR)
• Supersedes the Data Protection Directive “Safe Harbor” and will be enforceable starting on May 25, 2018
• Extends EU data protection law to all foreign companies processing data of EU residents.
• Standardizes data protection regulations throughout the EU
• Severe penalties of up to 4% of worldwide turnover. (The Parliament's version contains increased fines up to 5%.)
98% of all business apps are not ready for use in Europe according to the new GDPR standards*
25% fulfill some of the GDPR requirements but not enough to confidently use in the EU
*
Good News Top Business Apps are Business Ready
However, most consumer apps, including some popular ones, are not.
Shadow Data Shadow data includes all the sensitive data that is stored and shared using either sanctioned or unsanctioned apps, without the knowledge of IT.
Shadow Data Controls Why do I need it? Use Cases
“As a VP in charge of compliance at a healthcare organization, I’m concerned that we could get hit with serious fines for HIPAA compliance violations if PHI stored in our cloud services is lost or stolen.”
“As an IT director, I need to know what types of data employees are storing in the cloud, how they are sharing it, and with whom. I also need to be able to enforce policies around the sharing of sensitive company data.”
Alice shares a file with Bob
Bob shares that file publicly
Know Your Users Accidental Over-sharing
Or shares on other apps
Malicious Employees and Hackers
Just 1.3% of employees across all organizations were responsible for all data exfiltration, destruction and account takeover incidents.
Risky Users
Over half of all organizations with employees who exhibit high risk behavior have 10% or more of their users categorized as high risk.
Users who have exhibited high risk behavior are concentrated in 12% of companies.
Good News
Bad News
In 3% of companies, the vast majority of users—70% or more—are indulging in high risk behavior
when using cloud apps.
Financial Risk Healthcare vertical has the greatest amount of financial risk based on our analysis of real world data • Healthcare account breach translates into an average
cost of $10M per breach
• Anthem Data breach of $80M docs resulted in a
$100M remediation costs and compliance fines.
However, all verticals face steep financial costs due to data breaches.
Data Science Powered Cloud App Security
Machine Learning
Semantic Analysis
Natural Language Processing
Graph Theory
Analytics on your cloud app risks and compliance issues
App usage anomalies across your organization
What apps you should sanction and what apps you should block
Shadow IT Risk Assessment Based on logs and event info from proxies and firewalls
External and public content exposures, including compliance risks
Inbound risky content shared with employees (e.g. malware, IP, etc)
Risky users and user activities
Shadow Data Risk Assessment