The Definitive Guide to CLOUD SECURITY · IDC shows that security and privacy remain the top...

The Definitive Guide to CLOUD SECURITYWHITE PAPER

Cloud Visibility and ComplianceThreat Prevention and Data SecurityShadow IT CRM platforms securityFile-Sharing and CollaborationWhat is a CASB?

2 Aiuken Cybersecurity 2017

Page 03

Page 05

Page 07

Page 10

Page 13

Page 16

9

Introduction – Cloud Adoption and Risk Today

Cloud Visibility

Cloud Compliance

Cloud Threat Prevention

Cloud Data Security

Shadow IT

Contacts

Table of contents

Page 19

Page 21

Page 24

Page 26

Page 28

CRM

File-Sharing and Collaboration

What is a CASB?

Quantifying the Value of a CASB

Parting Guidance on Evaluating CASB Vendors

3The Definitive Guide to CLOUD SECURITY

Introduction – Cloud Adoption & Risk Today

Aiuken Cybersecurity 2017

KEY STAT: 60% OF CIOS STATE THAT THE CLOUD IS THEIR #1 PRIORITY THIS YEARThe cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making employees more productive and businesses more agile. As the cloud market matures, analysts and market researchers are discovering hard data supporting the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne Research show that the cloud is providing organizations with a 21% reduction in product time to market, a 17% reduction in IT maintenance costs, a 15% reduction in IT spend, and an 18% increase in employee productivity. 1

With these types of metrics in hand it’s no surprise that 60% of CIOs state that the cloud is their #1 priority this year.2

However, this enthusiasm for cloud adoption is tempered by security, compliance, and governance concerns. IDC shows that security and privacy remain the top inhibitors of cloud adoption.3

Given the seemingly endless supply of headlines on data breaches, it’s understandable, if not expected, that security of data in the cloud is now a board-level concern for 61% of organizations, according to a recent study by the Cloud Security Alliance (CSA).

The phenomenon of employees’ self-enabled cloud services (cloud services procured and managed outside of IT’s purview), often referred to as “Shadow IT”, complicates the situation for IT and IT Security teams. Even if organizations are taking a deliberate approach to cloud and adopting cloud services strategically while implementing the required security, compliance, and governance controls around them, employees are likely not acting with the same consideration when they sign up for new cloud services on their own. In fact, with up to 90% of cloud activity driven by individuals and small teams, the average company now uses 897 cloud services, up 43% over the last year.4

60% of CIOs state that the cloud is their #1 priority this yearVanson Bourne Research

1 http://venturebeat.com/2012/08/07/google-cfo-cloud-study/

2 http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i

3 http://www.opendatacenteralliance.org/docs/1264.pdf


With cloud adoption at an all time high and damaging headlines catalyzing conversations around data security, enterprise IT is looking for ways to partner with the business to manage the move to the cloud. Increasingly, these enterprises are turning to analyst and industry thought leaders to help them navigate this new security landscape. Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner have been particularly adept in providing the market with a usable framework for managingcloud security. Their framework organizes around four pillars of functionality: Visibility, Compliance, Threat Prevention, and Data Security.

In 2015, roughly 10% of overall IT security enterprise capabilities will be delivered as a cloud service.Gartner

In thiseBook we will dive into the details of each pillar, providing relevant and related data points for consideration, and describe how forward-leaning IT teams are managing cloud security today using this framework.


Cloud Visibility

KEY STAT: 72% OF COMPANIES DON’T KNOW THE SCOPE OF SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW

Cloud services are incredibly easy to adopt, with most requiring only an email or a credit card to sign up. The result is that individual users and business units often begin using cloud services without any involvement from IT. The benefit is that users and business units are able to readily and rapidly adopt services that drive productivity and agility for the business.The downside is that IT often has little to no visibility into the full scope of IT services employees are using.Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.

With regards to visibility, Gartner says that enterprises must protect their sensitive data for various commercial and legal reasons. Regardless of whether the cloud services in use are shadow IT or sanctioned IT, businesses need visibility into which services employees are using, what data is stored in them and shared from them, any anomalies in usage behavior that indicate a compromised account, and who is using each service and from which devices and geographies.

Enterprises must also ensure that they don’t cross a “perceived ethical of legal privacy boundary” when monitoring the use of cloud services. For example, the same methods that can be used to monitor sanctioned cloud services, could also be used to monitor personal Facebook or Instagram accounts. Requirements for privacy may vary greatly in different verticals and geographies.

30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects.Cloud Security Alliance

Enterprises must also integrate their cloud visibility into existing systems, such as SIEMS for continuous monitoring and event management.5

The average employee uses 27 different cloud services 6 at work, including six collaboration services, four social media services, and three file-sharing services. Many of the services used in the office are consumer grade services and security is not a given, so understanding which services employees are using, what type of data is uploaded to and shared through the services, and what security capabilities the services have is a must.6

5 Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

6 Q4 2015 CARR


KEY QUESTIONS IT SECURITY SHOULD BE ABLE TOANSWER RELATED TO CLOUD VISIBILITY

1 Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)?

2 Which services are gaining in popularity and should be evaluated for enterprise-wide adoption?

3 What is the risk-level of each service in use?

4 How effective are my firewalls and proxies at identifying cloud services and enforcing acceptable cloud use policies?

5 Which redundant services are employees using, and are they introducing additional cost and risk and inhibiting collaboration?

6 How do I quantify the risk from the use of cloud services and compare it to peers in my industry? Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)?

7 Which services house sensitive or confidential data today?

8 What are the security capabilities of the services storing sensitive data?

9 Which data is available to external collaborators outside of the company?

10 Which partners’ cloud services are employees accessing and what’s the risk of these partners?

11 Which external collaborators are granted access to our company’s services?

12 How do I track and log all user and admin actions for compliance and investigations?


Cloud Compliance

KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER.

Today’s enterprises have deployed cloud services to support CRM, ERP, HR, Collaboration, and Backup operations. Applications like Salesforce, ServiceNow, Workday, Box, and Office 365, support mission-critical business functions, and because of this they often house sensitive or confidential information, such as customer data, financial data, employee data, IP, or security infrastructure data. Locating this type of data in the cloud is not a rare event; in fact it is now commonplace.

For example, 22% of files uploaded to file-sharing services contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; and PHI (protected health information) such as medical record number or health plan beneficiary number.

Compliance will always be a core security deliverable.Gartner

Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud service that contained sensitive or confidential data over the course of a business quarter.7 In order to drive compliance, IT leaders are looking for ways to identify enterprise-ready cloud services that support various use cases, locate where sensitive data is housed, audit how sensitive data is handled, and protect sensitive data from loss. With regards to compliance, Gartner says that compliance will always be a core security deliverable

They indicate that, with regards to SaaS applications, compliance-supporting activitiesshould cover:

• Answering the who, what, when, why and where questions with provable data for various compliance regimes.• Providing assistance with out-of-the box compliance reporting for major compliance standards.• Auditing user behavior across cloud applications, regardless of the device (e.g. PC or mobile) or method of access (e.g. browser or mobile app).

• Enabling integration within the enterprise by supporting log generation that can be used with existing SIEMs.• Guiding the organization to specific cloud services that satisfy both functional requirements of the users and the compliance and risk requirements of the business. This is especially important given the thousands of options available in the cloud today.8




As Gartner references, there are over 10,000 cloud applications today, all with varying degrees of security, compliance, and governance capabilities. Despite this diversity of offerings, companies across industries must ensure compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations. In order to do so they must ensure the protection of various types of personal information, including:

• Names

• Address

• Birthdate

• Telephone or fax number

• Email address

• Social security number

• Medical record number

• Health plan number

• Bank account numbers

• Professional certificate or license number

• License plate number

• URLs or IP address

• Finger and voice prints

• Full face photograph

• Any unique identifying number

While the cloud provider is responsible for the security of their product, compliance is based on a shared responsibility model, whereby the enterprise using the cloud service must also take measures to maintain the privacy of employee and customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all share responsibility for compliance.


KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD COMPLIANCE:

1 Which applications house sensitive data subject to regulatory compliance?

2 What are the security capabilities of the services housing sensitive data?

3 What are the legal terms of the services housing sensitive data?

4 Which employees are accessing sensitive data, and how are they using or sharing it?

5 Which employees are uploading sensitive data to high-risk services?

6 Which administrators have behavioral anomalies that indicate excessive privilege access?

7 When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)?

8 How do we leverage previous resource investments and extend existing on-premises data loss prevention policies to the cloud?

9 How do we implement a closed workflow to review, remediate compliance violations, and educate violators?

10 Is sensitive data kept in a specific country or region to comply with international data residency requirements?


Cloud Threat Prevention

KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR, BUT 85% OF COMPANIES EXPERIENCED ONE.Cloud services, like on-premises systems, can be the target of attacks aimed at stealing corporate data or damaging the business. Attacks typically leverage the cloud in one of two ways: they use cloud services as sources of sensitive data to steal, or they use cloud services to exfiltrate stolen data.

Some enterprise-ready cloud services have security capabilities that exceed those of the enterprise data center, but that does not necessarily protect them from insider threats or compromised identities. In fact, compromised identities and insider threat are the two main drivers of the first threat vector (cloud services as the source of data to steal), and they are far more common than most IT professionals realize.

According to the Cloud Security Alliance, 17% of companies reported an insider threat last year, but in fact 85% of companies experienced one.9 This discrepancy exists because so many attacks go under the radar today. Further, 92% of companies have at least one corporate cloud service login credential available for sale on the Dark Net today.10

30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects. Cloud Security Alliance.

In order to prevent against insider threats, organizations can employ machine learning to identify anomalous behavior that indicates a threat in progress.Triggers are often large or repeated downloads of sensitive data or excessive privileged user access. Insider threats could be aimed at stealing enterprise data from the cloud, such as IP from a file sharing service or security infrastructure from an IT management service, but the most common insider threat seems to be the theft of customer sales data from CRM services, perpetrated by sales reps or sales operations managers who plan to leave the company. Additionally, malware attacks are also now targeting cloud services. Last year’s much publicized Dyre malware would monitor browser activity to steal credentials for cloud services that housed valuable corporate data.

9 Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014

10 Skyhigh Networks Cloud Adoption and Risk Report: Q4 20


Attackers also increasingly look upon cloud services as a clever way to exfiltrate data under the radar. With the average company using almost nine hundred cloud services today and IT often not having visibility into their usage, attackers know that unmanaged cloud services can be a fertile territory for malicious behavior and frequently use popular and seemingly harmless services to execute their operations. For example, malware employed by a foreign national government recently used YouTube to exfiltrate stolen intellectual property. The attackers created VAR segments, inserted the stolen data into mpg4 files, and then uploaded them onto YouTube. The videos would play within YouTube, but once downloaded the VAR segments could be unpacked providing the attackers with the stolen data. In another startling example, malware leveraged a Twitter account to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While these attacks are almost amusingly clever, they serve as a serious reminder that threat prevention must be a core focus of any cloud security project.

31% of companies are “not sure” if they experienced an insider threat incident last year.Cloud Security Alliance.

With regards to threat detection, Gartner says that, in on-premises applications that were protected by network/host security and access management, Security could control all application access from authorized users from defined locations while also inspecting for malicious content, regardless of the network channel or protocol. However, in today’sInternet Age, with billions of users accessing the Internet via browsers, enterprise cloudapplications are now accessible to anyone with an internet connection.Because of this fundamental change, new controls are required in order to protect enterprise data.

Particularly, new controls are needed for cloud service to manage events such as:

• Access from known suspicious countries, locations, devices, locations, or unusual access times or data volumes.• Access from compromised cloud service accounts.• Access from canceled accounts or from accounts that have remained idle for excessive periods of time.

• Access directly to cloud services that bypasses security controls.• Access via outdated operating systems or browsers that are no longer supported and are• thus more vulnerable to attacks.

Malware leveraged Twitter to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets



KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD THREAT DETECTION:

1 What does normal behavior for any given service look like?

2 How does a user’s role affect their normal cloud service usage patterns?

3 How do I monitor and baseline usage across the enterprise for both local and remote employees?

4 Which users are accessing large volumes of sensitive data?

5 Which administrators are accessing large volumes of sensitive data?

6 Which cloud services have behavior anomalies that indicate insider threat?

7 Which cloud services have behavioral anomalies that indicate malware at work?

8 Which cloud services have behavioral anomalies that indicate an account is compromised?

9 Which cloud services in use are rated as high-risk and have an anonymous use policy?


Cloud Data Security

KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION, ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.As many a CIO and CISO will tell you - IT Security, today, is all about protecting data, not data centers – and this is largely product of cloud. When considering data security it can be helpful to examine both the security of the service the data lives in and the security of the devices that have access to the data.

Some cloud services have security capabilities that far-exceed most corporate data centers. However, with over 10,000 cloud services available today, there is a large variation in the security capabilities offered. The good news is that an increasing number of cloud services are investing in security, but a larger number still do not offer even basic security features.Only 17% of cloud services provide multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt data at rest. For this reason, it is important to look at the risk of services individually and enable risk- based policies on acceptable usage.12

In services with high levels of built in security, users and their devices can often be the weakest link. Users frequently lose devices or leave them in insecure locations and are prone to lose passwords as well. 12% of employees have at least one corporate identity (username and password) for a cloud service that has been compromised for sale on the Dark Net (online black markets) today.13

A study by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re- used in multiple places. The implication here is that, for 31% of compromised identities, an attacker could not only gain access to all the data in that cloud service, but potentially all the data in the other cloud services in use by that person as well. Considering that the average person uses three different cloud file-sharing services, and 37% of users upload sensitive data to cloud file-sharing services, the impact of one compromised account can be immense.

Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014


Enterprises can improve the security of their data by employing access control policies for cloud services that take into account the context of the user, data, device, and location. For example, an executive may be able to view and download important financial data to her laptop when in the office, but may be restricted to viewing only when on her mobile device in a foreign country.

Additionally, enterprises can take extra steps to ensure the security of their data by employing encryption and tokenization and controlling their own keys. Encryption can be tricky, and several considerations must be made when evaluating encryption options.

First, enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia-reviewed to ensure that they are up to modern cryptographic standards.

Second, enterprises must also verify that the algorithms used can support the required functionality of their application since there is a trade-off between the security of an algorithms and the functionality that it can support.

Finally, to maximize data security, enterprises must own their own encryption keys. By taking ownership of their keys, they prevent a malicious insider at a cloud service or an inquiring government agency from gaining access to their data.

Enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia- reviewed to ensure that they are up to modern cryptographic standards.

With regards, to data security, Gartner says that data is mission-critical to the enterprise and that securing that data is the primary goal of any IT Security organization. Therefore, if the enterprise is moving its data into cloud services, IT Security must:

• Ensure that sensitive data is encrypted using known good algorithms or tokenized before entering the cloud service via a configurable data security policy.• Ensure that robust authentication procedures are defined and enforced, including central credential store usage, certificates, and multi-factor authentication.• Support encryption key management via a hardware security module (HSM).• Ensure that only the authorized users and groups have access to enterprise data

• Prevent data from being lost within cloud services when the owner is de-provisioned.• Ensure functionality within cloud services is maintained when data within those services is encrypted or tokenized so that the value of the services can be fully realized.• Ensure that data loss prevention and e-discovery are available for cloud services, just as they are for on-premises systems today.14

Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014


KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD DATA SECURITY:

1 Which cloud services encrypt data at rest and provide multi-factor authentication?

2 What are the compliance certifications of the services employees are using?

3 Which of our cloud services undergo regular penetration testing?

4 Which of our cloud services has been compromised in the last week, month, year?

5 Which data should be encrypted in which cloud services?

6 How do we encrypt data while maintaining required functionality within cloud services?

7 How do we encrypt data while controlling our own encryption keys?

8 How do we employ tokenization to ensure data privacy in addition to security?

9 How do we enforce access policies based on user, device, and location?


Shadow IT

KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES. ON AVERAGE, IT IS AWARE OF 3 OF THEM.

Shadow IT refers to information technology that is managed outside of, and without the knowledge of, the IT department. At one time. Shadow IT was limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department. 15

This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive.

When employees and departments deploy SaaS applications, it can also reduce the burden on IT help desks to take calls according. However, while IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for the corporate data employees upload to cloud services. Instead of seeingShadow IT as a threat, Ralph Loura, CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify the applications they want to use so that IT can enable the ones that have gained traction and are enterprise-ready.

15 http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/


According to Loura, “We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.” Promoting low risk services that have reached a tipping point starts with understanding what cloud services employees use, how they use them, and their associated risk.

We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users.Ralph Loura,CIO Enterprise Group, HP

When IT examines the use of cloud services across the organization, they generally findShadow IT is 10 times more prevalent than they initially assumed, with the average organization today using 897 different cloud services. 16

Often IT departments discover many services in use that they have never heard of before. After auditing the risk of each service and its security controls, IT teams can make informed choices about what services to promote or enable. This is more than just an exercise in risk management. The average company uses nearly 30 different file sharing services, and using this many different services can impede collaboration between employees. Standardizing on enterprise licenses for 2-3 services not only improves collaboration, but also reduces cost.

Below are key questions related to shadow IT that IT Security should be able to answer:

VISIBILITY• Which users and business units are using which cloud services, and what is the risk of each of the services in use?• How effective are my firewalls and proxies at enforcing my cloud security policies?

COMPLIANCE• Where is sensitive data being stored today, and what certifications do services storing sensitive data have?• Which data loss prevention policies for which services do I need to implement to ensure compliance with industry regulations moving forward?

THREAT DETECTION• Are there behavioral anomalies that indicate an insider threat?• Are there behavioral anomalies that indicate a security breach from malware or a compromised identity?

DATA SECURITY• Which data in which services can users access from various devices?• Do I need to encrypt or tokenize data to protect confidential or sensitive information

Last quarter the average company uploaded 86.5 GB to high-risk cloud services.


19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:

1 Log-based visibility into all users, services (SaaS, PaaS, IaaS), and data transfers

2 On-premises tokenization of log data for security and privacy

3 Comprehensive cloud registry covering a minimum of 10,000 cloud services

4 Detailed risk assessments provided for all cloud services

5 Usage analytics to identify redundant services and popular and growing services primed for enterprise adoption

6 Ability to audit the effectiveness of firewall and proxies at enforcing policies

7 Closed-loop remediation with firewalls and proxies

8 Ability to coach employees using integration with firewalls and proxies

9 Customizable reporting with automatic periodic reporting capabilities

10 Vertical-specific, pre-built DLP policy template Log-based visibility into all users, services (SaaS, PaaS, IaaS), and data transfers

11 Ability to leverage policies from on-premises DLP systems and extend them to cloud services

12 Ability to quantify cloud risk, compare it to benchmarks from peers in the industry, and track it over time

13 Anomaly detection across all services to identify insider threats or security breaches

14 Ability to identify unmatched uploads for further investigations

15 Integration with SIEMS for incident response remediation

16 Dark Net intelligence to identify stolen credentials of employees

17 User reputation analysis based on correlated activities across cloud services

18 Function-preserving encryption for data security

19 Frictionless deployment that doesn’t impact end users


CRM

KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL FINANCIAL DATA, PII, ORPHI.

Customer Relationship Management platforms, such as Salesforce, provide business-critical functionality for Sales, Sales Operations, Customer Service, and Marketing. In order to support these business units, CRM services frequently contain sensitive or confidential customer information including PII, financial data, or PHI.

While popular CRM platforms, such as Salesforce, have industry-leading security capabilities, organizations must ensure that their valuable data is protected and that the use of their CRM service is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

Enterprises must not rely solely on the security capabilities of the CRM service itself, as users may not always be using cloud products in ways that meet your security, compliance, and governance requirements. For example, users may be storing sensitive data such as payment card data and protected health data in Salesforce as part of their normal workflow outside of policy, putting the organization at risk of compliance violations. Or, consider the example of a salesperson that downloads all the company’s opportunities before leaving to join a competitor. Below are key questions related to CRM services that IT Security should be able to answer:

VISIBILITY

• How many instances of Salesforce, or CRM applications, are we running?• Which users and groups are using which products, and where is sensitive data stored?

COMPLIANCE DATA

• Which types of sensitive data are uploaded into our CRM service in customer fields or comments sections and where is it being stored?• Are we in compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?

THREAT DETECTION

• Are there behavior anomalies, such as a salesperson downloading more data than usual, that indicate an insider threat? • Are there behavioral anomalies, such as a salesperson logging in from Boston and Bangkok within the same hour, that indicate a compromised identity?

DATA SECURITY

• Which devices and geographies are employees accessing CRM services from?• How can I encryptor tokenize data while maintaining important functionalities like search, sort and order?


1 Usage analytics across all CRM services for both individuals and business units.

2 Ability to identify redundant CRM services and coach users over to standardized services.

3 Ability to identify all third-party applications accessing CRM services and their data.

4 Detailed activity monitoring of all user, admin, and third- partyapplication activities including uploads, downloads, views, edits and deletes.

5 Ability to identify sensitive data subject to compliance requirements or security policies.

6 Ability to enforce Enforces DLP policies and support several actions, including alerting and blocking.

7 Ability to extend existing DLP policies from on-premises systems and provide integration and closed-loopremediation.

8 Ability to encrypt structured and unstructured data with standards- based AES or function-preserving encryption using enterprise- owned encryption keys.

9 Ability to apply encryption while preserving end-user functions such as search, sort, and format.

10 Academia and peer-reviewed encryption schemes.

11 Ability to substitute sensitive data with randomly generated tokens (tokenization) to keep data on-premises and satisfy data residency requirements.

12 Ability to manage encryption keys via integration with key management servers supporting the KMIP protocol.

13 Behavioral modeling of normal user and admin activity within the CRM services.

14 Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat.

15 Integration with SIEMS for incident response remediation.

16 Integration with SAML v2 compatible single sign-onservices.

17 Ability to deploy in the cloud, on-premises as a virtual appliance, or in a hybrid architecture.

17 KEY REQUIREMENTS FOR ENABLING SECURE AND COMPLIANT CRM USAGE:


File-Sharing and Collaboration

KEY STAT: 22% OF FILES UPLOADED TO FILE SHARING CLOUD SERVICES CONTAIN SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION OR PHI.

File-sharing and collaboration services like 0365, Box, Dropbox, Google Drive, and Jive are incredibly popular. The average company uses 27 file-sharing services and 45 collaboration services today, which may actually impede collaboration.17 The security controls of file-sharing and collaboration services can vary widely, so organizations must also evaluate the services to understand the risk they present to the organization. Some services claim ownership of your data, don’t encrypt data at rest, or permit anonymous use, making them unsuited for enterprise use.

The average company uses 27 different file sharing services, inhibiting collaboration and creating risk.

In addition to the security risk, companies must evaluate the compliance risk as well. 22% of files uploaded to file-sharing cloud service contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; or PHI (protected health information) such as medical record number or health plan beneficiary number. Organizations must ensure that their valuable data is protected and that the use of file-sharing and collaboration services is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

Files are frequently shared via public links, which can be accessed by anyone without restriction.

Additionally, many cloud services offer more than just file syncing across devices; they’re platforms for collaborating with other people. No matter how secure a cloud provider is, end users can always use their service in risky ways. Naturally, users share files with other people at their companies, but files are also frequently shared via public links, which can be accessed by anyone without restriction.


In fact, 11% of all documents shared via file-sharing services were shared outside the company. The majority of these external collaborators turned out to be business partners, but 18% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.

Organizations must ensure that their governance policies, dictating who has access to services and their data, are enforced. Below are key questions related to file- sharing and collaboration that IT Security should be able to answer:

VISIBILITY

• How many file-sharing and collaboration services are we using, and what is the risk ofeach?• Which types of sensitive data are uploaded into our file-sharing and collaborations services and where is itbeingstored?

COMPLIANCE DATA

• Are we in compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?• Which data loss prevention policies for which services do Ineed to implement to ensure compliance with industry regulations movingforward?• Are our cloud DLP policies perfectly aligned with the DLP policies we enforce on-premises?

THREAT DETECTION

• Are there behavioral anomalies, such as excessive downloads of confidential information, that indicate an insiderthreat?• Are there behavioral anomalies, such as repeated logins from an unusual geography, that indicate a compromised identity?

DATA SECURITY

• Which devices and geographies are employees accessing file-sharing and collaboration servicesfrom?• How do we see what data is shared publicly now, and how do we restrict collaboration to verified business email accounts?

8% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.


18 KEY REQUIREMENTS FOR ENABLING SECURE AND COMPLIANT FILE-SHARING AND COLLABORATION USAGE:1 Usage analytics across all file-sharing and collaboration services for both individuals and business units.

2 Ability to identify redundant file-sharing and collaboration services and coach users over to standardizedlow-risk services.

3 Ability to identify all third party application accessing file-sharing and collaboration services and their data.

4 Detailed activity monitoring of all user, admin, and third- party application activities including uploads, downloads, views, edits, and deletes.

5 Ability to identify sensitive data subject to compliance requirements or security policies.

6 Ability to enforce DLP policies and support several actions, including alerting, blocking, tombstoning, and quarantining.

7 Out-of-the-box DLP templates for all major verticals and regulations to help identify sensitive content.

8 Ability to extend existing DLP policies from on-premises systems and provide integration and closed-loopremediation.

9 Behavioral modeling of normal user and admin activity within the file-sharing and collaboration services.

10 Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat.

11 Integration with SIEMS for incident response remediation.

12 Ability to identify all externally shared data and view sharing permissiondetails.

13 Ability to enforce external sharing policies based on domain whitelist/blacklist and content.

14 Ability to coach users on acceptable use when in violation of security, compliance, and governance policies.

15 Integration with SAML v2 compatible single sign-onservices.

16 Ability to encrypt data with peer- and academia-reviewed encryption schemes.

17 Ability to manage encryption keys via integration with key management servers supporting the KMIP protocol.

18 Ability to deploy in the cloud, on-premises as a virtual appliance, or in a hybrid architecture.


What is a CASB?KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)

With cloud adoption accelerating every year, enterprise IT is looking for ways to partner with the business to enable secure utilization of the cloud. Increasingly, these enterprises are turning to a new breed of technology, referred to by Gartner as “Cloud Access Security Brokers” (CASB), in order to do this.

Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud Access Security Broker category in May 2012 in their report “The Growing Importance of Cloud Security Brokers,” G00233292. Other firms, such as Forrester, Securosis, and 451 Research have defined similar categories, alternatively referring to the technology as Cloud Security Gateways and Cloud Access Controllers. Since then, Gartner has elevated the importance of CASB and now lists it as #1 in the top ten technologies for information security.

Cloud access security brokers (CASBs) are on-premises or cloud- based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, singlesign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.Gartner

Cloud Access Security Brokers are on-premises or cloud-hosted software that acts as a control point to secure cloud services. They generally offer a range of capabilities including visibility, encryption, auditing, data loss prevention (DLP), access control, and anomaly detection. While cloud providers individually offer some of these capabilities, many organizations are looking for consistent policy enforcement across cloud providers. Given the limited resources to operationalize a new security process with existing resources, these capabilities should ideally be delivered as part of a single solution, offering one control point.

In determining whether your organization needs a CASB, Gartner provides several questions, shared below. If the answer to one or more of the questions is “no”, Gartner recommends that your organization considers investing in a CASB.


10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS A CASB, FROM «MIND THE SAAS SECURITY GAPS»:

1 Can Iidentify all of the cloud services employees are using and assess the risk of each service?

2 Can Iidentify which cloud services are housing sensitive corporate data, and how much data is in each service?

3 Can I identify which users are sharing data, what data they are sharing, and with whom?

4 Does the data being shared contain sensitive information such as PII, PHI, or financial data?

5 Can Ienforce encryption, tokenization, or redaction to protect sensitive data?

6 Which devices and locations are users accessing cloudservices from?

7 Can I enforce contextual access policies t o prevent specific devices, geographies, or IP addresses from accessing enterprise cloud services?

8 Can I proactively recommend enterprise-ready cloud services to employees or business units in need of specific capabilities or categories of cloud services?

9 Can I detect compromised cloud service accounts and prevent malicious behavior?

10 Can Ioffer specific security capabilities such as encryption or data loss prevention for cloud services that don’t have those capabilities built in?

A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud service.

This enables IT to securely enable the use of cloud services within their organizations without compromising compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity of securing data in the cloud.


Quantifying the Value of a Cloud Access Security Broker

KEY STAT: ORGANIZATIONS USING CASB TO MANAGE BOTH SHADOW IT AND SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97%.

A Cloud Access Security Broker can provide value across two axes: cost savings and risk reduction. Within cost saving there are 6 primary areas of cost reduction:

1. Reduction in manual efforts required to analyze log data for cloud visibility.

2. Streamlined security assessments for cloud services.

3. Elimination of unapproved IaaS usage.

4. Subscription consolidation

5. Eliminationof orphaned subscriptions.

6. Accelerated response to breaches and vulnerabilities.

In addition to cost savings, cloud access security brokers can also mitigate risk in the enterprise. Risk mitigation from the use of a CASB is typically comprised by the following four factors:

1. Reduction in data lost due to us of cloud services.

2. Reduction in data lost due to insider threats of high-risk services

3. Reduction in risk o f a compliance violation security breaches.


Below is a table quantifying some of the risk reduction metrics achieved by companies that implemented to manage their cloud adoption and risk.

Summarizing the key findings, we see that organizations increased their use of low-risk cloud services by 83%, decreased their use of high-risk services by 50%, and decreased the volume of data sent to high-risk file-sharing services by 97%. In total, organizations that managed their Shadow IT and Sanctioned IT with CASB reduced their overall cloud risk score by 59%.

Attribute Before After Improvement

High-Risk Service % 16% 8% 50%

Monthly Data Sent to High-Risk Services 31GB 6.7GB 79%

High-Risk File Sharing Services 6 1.3 78%

Monthly Data Sent to High-Risk File Sharing Services

16GB 0.5GB 97%

Active Tracking Services 32 4 87.5%

Low-Risk Service 12% 22% 83%

Enterprise CloudRisk Score 6.4 3.8 59%

Organizations using a CASB decreased the volume of data sent to high- risk file- sharing services by 97%


Conclusion - Parting Guidance on Evaluating CASB VendorsWhen evaluating different CASB vendors, there are several factors IT leaders must consider. In addition to understanding whether the capabilities offered match the business requirements, IT leaders must determine whether the deployment model fits with their organization. For example, organization should consider whether they want their CASB to be cloud-based or if they prefer to manage all of the infrastructure and maintenance of an on-premises solution themselves.

Additionally, organizations should consider whether they are looking for a frictionless approach requiring no agents or if they would prefer a solution that installs agents or PAC fileson users’work and personaldevices.Finally, organizationsshouldconsiderwhetherthe CASB vendor has supported other companies in similar verticals and of similar size.

Many CASB vendors are emerging and have not yet deployed their solution at scale. This may be acceptable to a smaller organization, but this is likely to be an area of concern for a larger enterprise. To get started, Gartner offers a framework for evaluating CASB vendors organized around the types of cloud services the enterprise is aiming to enable. This framework is provided below for your reference:

SHADOW IT:

• Ask CASB vendors to generate a cloud visibility report with your data during the proof-of-value process.• Analyze the categories and individual cloud services in use, and identify the risk associated with the service and its usage.• Create a corporate policy about which cloud services to block or to allow, and then determine the depth of security controls and API integrations the CASB vendor can enforce for your permitted cloud services.• Select only those CASB vendors whose solution fits with your company vision on cloud and mobility.

EXISTING SANCTIONED IT SERVICES:

• Analyze the redirection methods offered by various CASB vendors, and determine if they align with your enterprise’s mobile device policy (i.e. managed devices vs. bring your own device [BYOD]).• Evaluate o n l y the C A S B vendors that are least disruptive t o your current environment.• Evaluate CASB vendors that can extend common security capabilities to multiple cloud services from a single management console.

NEW SANCTIONED IT SERVICES:

• Include CASB and identity management products when budgeting for new cloud services and account for them in enterprise architecture discussions• Evaluate your current infrastructure architecture program to identify spending that could be re-directed to CASB for use with cloud services that are planned or in use already. This is an architecture change that will be necessary if you plan to move to cloud services in the future.


Feel free to contact us:

Get the latest notifications and updates from Aiuken.

Subscribe via email

OVANES MIKHAYLOVINTERNATIONAL BUSINESS DEVELOPMENT DIRECTOR

[email protected]

www.aiuken.com/uae

DMCC I5 Premium Business Centre, Gold Tower, JLTDubaiUnited Arab EmiratesPhone: +971 54 499 4659

http://eepurl.com/cRzvXT

mailto:ovanes%40aiuken.com?subject=

http://www.aiuken.com/uae

The Definitive Guide to CLOUD SECURITY · IDC shows that security and privacy remain the top...

Documents

Transcript of The Definitive Guide to CLOUD SECURITY · IDC shows that security and privacy remain the top...