eBook:
The Definitive Guide to
CLOUD SECURITY The Definitive Guide to Cloud Security
Brought to you by Brought to you by
Table of Contents
Chapter 1: Introduction – Cloud Adoption and Risk Today
Page 1
Chapter 2: Cloud Visibility
Page 4
Chapter 3: Cloud Compliance
Page 7
Chapter 4: Cloud Threat Prevention
Page 11
Chapter 5: Cloud Data Security
Page 16
Chapter 6: Shadow IT
Page 21
Chapter 7: CRM
Page 25
Chapter 8: File-Sharing and Collaboration
Page 28
Chapter 9: What is a CASB?
Page 33
Chapter 10: Quantifying the Value of a Cloud Access Security Broker
Page 36
Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors
Page 39
Table of Contents
Chapter 1: Introduction – Cloud Adoption and Risk Today
Page 1
Chapter 2: Cloud Visibility
Page 4
Chapter 3: Cloud Compliance
Page 7
Chapter 4: Cloud Threat Prevention
Page 11
Chapter 5: Cloud Data Security
Page 16
Chapter 6: Shadow IT
Page 21
Chapter 7: CRM
Page 25
Chapter 8: File-Sharing and Collaboration
Page 28
Chapter 9: What is a CASB?
Page 33
Chapter 10: Quantifying the Value of a Cloud Access Security Broker
Page 36
Chapter 11: Conclusion - Parting Guidance on Evaluating CASB Vendors
Page 39
CHAPTER 1
Introduction – Cloud Adoption and Risk Today KEY STAT: 60% OF CIOS ARE MAKING THE CLOUD THEIR #1 PRIORITY THIS YEAR
The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making employees more productive and businesses more agile. As the cloud market matures, analysts and market researchers are discovering hard data supporting the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne Research show that the cloud is providing organizations with a 21% reduction in product time to market, a 17% reduction in IT maintenance costs, a 15% reduction in IT spend, and an 18% increase in employee productivity.1 With these types of metrics in hand it’s no surprise that 60% of CIOs state that the cloud is their #1 priority this year.2 ,
However, this enthusiasm for cloud adoption is tempered by security, compliance, and governance concerns. Analyst firm IDC shows that security and privacy remain the top inhibitors of cloud adoption.3 Given the seemingly endless supply of headlines on data breaches, it’s understandable, if not expected, that security of data in the cloud is now a board-level concern for 61% of organizations, according to a recent study by study by the Cloud Security Alliance (CSA). (CSA).
1
2
3
http://venturebeat.com/2012/08/07 http://venturebe at.com/2012/08/07/google-cfo-clou /google-cfo-cloud-study/ d-study/ http://www.businessinsider.com http://www.b usinessinsider.com/infographic-its-no /infographic-its-not-easy-to-be-a t-easy-to-be-a-cio-2012-2#!HqX9 -cio-2012-2#!HqX9ii http://www.opendatacente http://www.o pendatacenteralliance.org/ ralliance.org/docs/1264.pdf docs/1264.pdf
The phenomenon of employees’ self-enabled cloud services (those procured and managed outside of IT’s purview), often referred to as “Shadow IT,” complicates the situation for IT and IT Security teams. Even if organizations are taking a deliberate approach to cloud and adopting cloud services strategically while implementing the required security, compliance, and governance controls around them, employees are likely not acting with the same consideration when they sign up for new cloud services on their own. In fact, with up to 90% of cloud activity driven by individuals and small teams, the average company now uses 897 cloud services, up 43% over the last year .4
60% of CIOs state that the cloud is their #1 priority this year.
Vanson Bourne Research
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014 4
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014.
With cloud adoption at an all-time high and damaging headlines catalyzing conversations around data security, enterprise IT is looking for ways to partner with the business to manage the move to the cloud. Increasingly, these enterprises are turning to analyst and industry thought leaders to help them navigate this new and evolving security landscape. Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner have been particularly adept in providing the market with a usable framework for managing cloud security. Their framework organizes around four pillars of functionality: Visibility, Compliance, Threat Prevention, and Data Security. In this eBook we will dive into the details of each pillar, providing relevant and related data points for consideration, and describe how forward-leaning IT teams are managing cloud security using this framework.
In 2015, roughly 10% of overall IT security enterprise capabilities will be delivered as a cloud service.
,
Gartner
CHAPTER 2
Cloud Visibility KEY STAT: 72% OF COMPANIES DON’T KNOW THE SCOPE OF
SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW
Cloud services are incredibly easy to adopt, with most requiring only an email or a credit card to sign up. The result is that individual users and business units often begin using cloud services without any involvement from IT. The benefit is that users and business units are able to readily and rapidly adopt services that drive productivity and agility for the business. The downside is that IT often has little to no visibility into the full scope of IT services employees are using. Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud. With regards to visibility, Gartner says that enterprises must protect their sensitive data for various commercial and legal reasons. Regardless of whether the cloud services in use are shadow IT or sanctioned IT, businesses need visibility into which services employees are using, what data is stored in them and shared from them, any anomalies in usage behavior that indicate a compromised account, and who is using each service and from which devices and geographies. Enterprises must also ensure that they don’t cross a “perceived ethical of legal privacy boundary” when monitoring the use of cloud services. For example, the same methods that can be used to monitor sanctioned cloud services, could also be used to monitor personal Facebook or Instagram accounts. Requirements for privacy may vary greatly in different verticals and geographies.
Enterprises must also integrate their cloud visibility into existing systems, such as Security Information and Event Management (SIEM) products for continuous monitoring and event management.5 The average employee uses 27 different cloud services at work6, including six collaboration services, four social media services, and three file-sharing services. Many of the services used in the office are consumer grade services and security is not a given, so understanding which services employees are using, what type of data is uploaded and shared through the services, and what security capabilities the services have is a must.
30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects.
Cloud Security Alliance
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014 Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
5
6
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD VISIBILITY:
Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)?
7
Which services house sensitive or confidential data today?
2
Which services are gaining in popularity and should be evaluated for enterprise-wide adoption?
8
What are the security capabilities of the services storing sensitive data?
3
What is the risk level of each service in use?
9
Which data is available to external collaborators outside of the company?
4
How effective are my firewalls and proxies at identifying cloud services and enforcing acceptable cloud use policies?
5
Which redundant services are employees using, and are they introducing additional cost and risk or inhibiting collaboration?
6
How do I quantify the risk from the use of cloud services and compare it to peers in my industry?
1
10
11
12
Which partners’ cloud services are employees accessing and what’s the risk of these partners?
,
Which external collaborators are granted access to our company’s services?
How do I track and log all user and admin actions for compliance and investigations?
CHAPTER 3
Cloud Compliance KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING
CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER Today’s enterprises have deployed cloud services to support CRM, ERP, HR, Collaboration, and Backup operations. Applications like Salesforce, ServiceNow, Workday, Box, and Office 365, support mission-critical business functions, and because of this they often house sensitive or confidential information, such as customer data, financial data, employee data, IP, or security infrastructure data. Locating this type of data in the cloud is not a rare event; in fact, it is now commonplace. For example, 22% of files uploaded to file-sharing services contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; and PHI (protected health information) such as medical record number or health plan beneficiary number. Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud service that contained sensitive or confidential data over the course of a business quarter.7 In order to drive compliance, IT leaders are looking for ways to identify enterprise-ready cloud services that support various use cases, locate where sensitive data is housed, audit how sensitive data is handled, and protect sensitive data from loss. With regards to compliance, Gartner says that compliance will always be a core security deliverable. 7
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Compliance will always be a core security deliverable.
Gartner
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
They indicate that, with regards to SaaS applications, compliance-supporting activities should cover: •
•
•
8
Answering the who, what, when, why, and where questions with provable data for various compliance regimes. Providing assistance with out-of-the-box compliance reporting for major compliance standards.
•
•
Auditing user behavior across cloud applications, regardless of the device (e.g. PC or mobile) or method of access (e.g. browser or mobile app).
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
Enabling integration within the enterprise by supporting log generation that can be used with existing SIEMs. Guiding the organization to specific cloud services that satisfy both functional requirements of the users and the compliance and risk requirements of the business. This is especially important given the thousands of options available in the cloud today.8
As Gartner references, there are over 10,000 cloud applications today, all with varying degrees of security, compliance, and governance capabilities. Despite this diversity of offerings, companies across industries must ensure compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations. In order to do so they must ensure the protection of various types of personal information, including:
•
Name
•
Bank account numbers
•
Address
•
Professional certificate or license number
•
Birthdate
•
License plate number
•
Telephone or fax number
•
URLs or IP address
•
Email address
•
Finger and voice prints
•
Social security number
•
Full face photographs
•
Medical record number
•
Any unique identifying number
•
Health plan number
While the cloud provider is responsible for the security of their product, compliance is based on a shared responsibility model, whereby the enterprise using the cloud service must also take measures to maintain the privacy of employee and customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all share responsibility for compliance.
80% or cloud governance committees include IT Security.
Cloud Security Alliance
KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD COMPLIANCE:
Which applications house sensitive data subject to regulatory compliance?
6
Which administrators have behavioral anomalies that indicate excessive privilege access?
2
What are the security capabilities of the services housing sensitive data?
7
When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)?
3
What are the legal terms of the services housing sensitive data?
8
How do we leverage previous resource investments and extend existing on-premise data loss prevention policies to the cloud?
4
Which employees are accessing sensitive data, and how are they using or sharing it?
9
How do we implement a closed workflow to review, remediate compliance violations, and educate violators?
5
Which employees are uploading sensitive data to high-risk services?
10
Is sensitive data kept in a specific country or region to comply with international data residency requirements?
1
CHAPTER 4
Cloud Threat Prevention KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR,
BUT 85% OF COMPANIES EXPERIENCED ONE
Cloud services, like on-premise systems, can be the target of attacks aimed at stealing corporate data or damaging the business. Attacks typically leverage the cloud in one of two ways: they use cloud services as sources of sensitive data to steal, or they use cloud services to exfiltrate stolen data. Some enterprise-ready cloud services have security capabilities that exceed those of the enterprise data center, but that does not necessarily protect them from insider threats or compromised identities. In fact, compromised identities and insider threat are the two main drivers of the first threat vector (cloud services as the source of data to steal), and they are far more common than most IT professionals realize.
According to the Cloud Security Alliance, 17% of companies reported an insider threat last year, but in fact 85% of companies experienced one. 9 This discrepancy exists because so many attacks go under the radar today. Further, 92% of companies have at least one corporate cloud service login credential available for sale on the darknet today.10
30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects.
Cloud Security Alliance
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014 9
Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014 Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
10
In order to prevent against insider threats, organizations can employ machine learning to identify anomalous behavior that indicates a threat in progress. Triggers are often large or repeated downloads of sensitive data or excessive privileged user access. Insider threats could be aimed at stealing enterprise data from the cloud, such as IP from a file sharing service or security infrastructure from an IT management service, but the most common insider threat seems to be the theft of customer sales data from CRM services, perpetrated by sales reps or sales operations managers who plan to leave the company. Additionally, malware attacks are also now targeting cloud services. Last year’s much publicized Dyre malware would monitor browser activity to steal credentials for cloud services that housed valuable corporate data. Attackers also increasingly look upon cloud services as a clever way to exfiltrate data under the radar. With the average company using almost 900 cloud services today and IT often not having visibility into their usage, attackers know that unmanaged cloud services can be a fertile territory for malicious behavior and frequently use popular and seemingly harmless services to execute their operations. For example, malware employed by a foreign national government recently used YouTube to exfiltrate stolen intellectual property. The attackers created VAR segments, inserted the stolen data into mpg4 files, and then uploaded them onto YouTube. The videos would play within YouTube, but once downloaded the VAR segments could be unpacked providing the attackers with the stolen data. In another startling example, malware leveraged a Twitter account to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While these attacks are almost amusingly clever, they serve as a serious reminder that threat prevention must be a core focus of any cloud security project.
31% of companies are “not sure” if they experienced an insider threat incident last year.
Cloud Security Alliance
With regards to threat detection, Gartner says that, in on-premise applications that were protected by network/host security and access management, Security could control all application access from authorized users from defined locations while also inspecting for malicious content, regardless of the network channel or protocol. However, in today’s Internet Age, with billions of users accessing the Internet via browsers, enterprise cloud applications are now accessible to anyone with an internet connection. Because of this fundamental change, new controls are required in order to protect enterprise data. Particularly, new controls are needed for cloud service to manage events such as:
•
Access from known suspicious countries, locations, devices, locations, or unusual access times or data volumes.
•
•
•
•
Access from compromised cloud service accounts. Access from canceled accounts or from accounts that have remained idle for excessive periods of time.
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
11
Access directly to cloud services that bypasses security controls. Access via outdated operating systems or browsers that are no longer supported and are thus more vulnerable to attacks.11
Malware leveraged Twitter to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets.
KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD THREAT DETECTION:
What does normal behavior for any given service look like?
6
Which cloud services have behavioral anomalies that indicate insider threat?
2
How does a user’s role affect their normal cloud service usage patterns?
7
Which cloud services have behavioral anomalies that indicate malware at work?
3
How do I monitor and baseline usage across the enterprise for both local and remote employees?
8
4
Which users are accessing large volumes of sensitive data?
9
5
Which administrators are accessing large volumes of sensitive data?
1
Which cloud services have behavioral anomalies that indicate an account is compromised?
Which cloud services in use are rated as high-risk and have an anonymous use policy?
CHAPTER 5
Cloud Data Security KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION,
ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.
As many a CIO and CISO will tell you - IT Security, today, is all about protecting data, not data centers – and this is largely product of cloud. When considering data security, it can be helpful to examine both the security of the service the data lives in and the security of the devices that have access to the data. Some cloud services have security capabilities that far exceed most corporate data centers. However, with over 10,000 cloud services available today, there is a large variation in the security capabilities offered. The good news is that an increasing number of cloud services are investing in security, but a larger number still do not offer even basic security features. Only 17% of cloud services provide multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt data at rest. For this reason, it is important to look at the risk of services individually and enable risk-based policies on acceptable usage.12 In services with high levels of built-in security, users and their devices can often be the weakest link. Users frequently lose devices or leave them in insecure locations and are prone to lose passwords as well. 12% of employees have at least one corporate identity (username and password) for a cloud service that has been compromised for sale on the darknet (online black markets) today.13 12, 13
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
A study by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re-used in multiple places. The implication here is that, for 31% of compromised identities, an attacker could not only gain access to all the data in that cloud service, but potentially all the data in the other cloud services in use by that person as well. Considering that the average person uses three different cloud file-sharing services, and 37% of users upload sensitive data to cloud file-sharing services, the impact of one compromised account can be immense.
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Enterprises can improve the security of their data by employing access control policies for cloud services that take into account the context of the user, data, device, and location. For example, an executive may be able to view and download important financial data to her laptop when in the office, but may be restricted to viewing only when on her mobile device in a foreign country. Additionally, enterprises can take extra steps to ensure the security of their data by employing encryption and tokenization and controlling their own keys. Encryption can be tricky, and several considerations must be made when evaluating encryption options. First, enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia-reviewed to ensure that they are up to modern cryptographic standards. Second, enterprises must also verify that the algorithms used can support the required functionality of their application since there is a trade-off between the security of an algorithms and the functionality that it can support. To better understand the specific tradeoffs, read The Cloud Encryption Handbook: Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to maximize data security, enterprises must own their own encryption keys. By taking ownership of their keys, they prevent a malicious insider at a cloud service or an inquiring government agency from gaining access to their data.
Enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peerand academiareviewed to ensure that they are up to modern cryptographic standards.
With regards to data security, Gartner says that data is mission-critical to the enterprise and that securing that data is the primary goal of any IT Security organization. Therefore, if the enterprise is moving its data into cloud services, IT Security must:
•
•
•
•
14
Ensure that sensitive data is encrypted using known good algorithms or tokenized before entering the cloud service via a configurable data security policy. Ensure that robust authentication procedures are defined and enforced, including central credential store usage, certificates, and multi-factor authentication.
•
•
•
Support encryption key management via a hardware security module (HSM). Ensure that only the authorized users and groups have access to enterprise data.
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
Prevent data from being lost within cloud services when the owner is de-provisioned. Ensure functionality within cloud services is maintained when data within those services is encrypted or tokenized so that the value of the services can be fully realized. Ensure that data loss prevention and e-discovery are available for cloud services, just as they are for on-premise systems today.14
73% of IT Security teams list security of their data in the cloud as a top challenge holding back cloud projects.
Cloud Security Alliance
KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER
RELATED TO CLOUD DATA SECURITY:
1
Which cloud services encrypt data at rest and provide multi-factor authentication?
6
How do we encrypt data while maintaining required functionality within cloud services?
2
What are the compliance certifications of the services employees are using?
7
How do we encrypt data while controlling our own encryption keys?
3
Which of our cloud services undergo regular penetration testing?
8
How do we employ tokenization to ensure data privacy in addition to security?
4
Which of our cloud services has been compromised in the last week, month, year?
9
How do we enforce access policies based on user, device, and location?
5
Which data should be encrypted in which cloud services?
CHAPTER 6
Shadow IT KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES.
ON AVERAGE, IT IS AWARE OF 3 OF THEM. Shadow IT refers to information technology that is managed outside of, and without the knowledge of, the IT department. At one time Shadow IT was limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department.15 This rapid growth is partly driven by the quality of consumer applications in the cloud such as file -sharing apps, social media platforms, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterpriseclass SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive. When employees and departments deploy SaaS applications, it can also reduce the burden on IT help desks to take calls. However, while IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for the corporate data employees upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura, CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify the applications they want to use so IT can enable the ones that have gained traction and are enterprise-ready. 15
http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/
According to Loura, “We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.” Promoting low-risk services that have reached a tipping point starts with understanding what cloud services employees use, how they use them, and their associated risk.
We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. Ralph Loura, CIO Enterprise Group, HP ,
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
When IT examines the use of cloud services across the organization, they generally find Shadow IT is 10 times more prevalent than they initially assumed, with the average organization today using 897 different cloud services. 16 Often IT departments discover many services in use that they have never heard of before. After auditing the risk of each service and its security controls, IT teams can make informed choices about what services to promote or enable. This is more than just an exercise in risk management. The average company uses nearly 30 different file-sharing services, and using this many different services can impede collaboration between employees. Standardizing on enterprise licenses for 2-3 services not only improves collaboration, but also reduces cost. Below are key questions related to shadow IT that IT Security should be able to answer:
VISIBILITY Which users and business units are using which cloud services, and what is the risk of each of the services in use?
•
THREAT DETECTION •
•
How effective are my firewalls and proxies at enforcing my cloud security policies?
•
COMPLIANCE Where is sensitive data being stored today, and what certifications do services storing sensitive data have?
•
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
16
Are there behavioral anomalies that indicate a security breach from malware or a compromised identity?
DATA SECURITY •
•
Which data loss prevention policies for which services do I need to implement to ensure compliance with industry regulations moving forward?
•
Are there behavioral anomalies that indicate an insider threat?
Which data in which services can users access from various devices? Do I need to encrypt or tokenize data to protect confidential or sensitive information?
Last quarter, the average company uploaded 86.5 GB to high-risk cloud services.
Q2 Cloud Adoption and Risk Report
19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:
1
Log-based visibility into all users, services (SaaS, PaaS, IaaS), and data transfers
11
Ability to leverage policies from on-premise DLP systems and extend them to cloud services
2
On-premise tokenization of log data for security and privacy
12
Ability to quantify cloud risk, compare it to benchmarks from peers in the industry, and track it over time
3
Comprehensive cloud registry covering a minimum of 10,000 cloud services
13
Anomaly detection across all services to identify insider threats or security breaches
4
Detailed risk assessments provided for all cloud services
14
Ability to identify unmatched uploads for further investigations
5
Usage analytics to identify redundant services and popular and growing services primed for enterprise adoption
15
Integration with SIEMs for incident response remediation
6
Ability to audit the e ffectiveness of firewall and proxies at enforcing policies
16
Darknet intelligence to identify stolen credentials of employees
7
Closed-loop remediation with firewalls and proxies
17
User reputation analysis based on correlated activities across cloud services
8
Ability to coach employees using integration with firewalls and proxies
18
Function-preserving encryption for data security
9
Customizable reporting with automatic periodic reporting capabilities
19
Frictionless deployment that doesn’t impact end users
10
Vertical-specific, pre-built DLP policy templates
CHAPTER 7
CRM KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL
FINANCIAL DATA, PII, OR PHI Customer Relationship Management (CRM) platforms, such as Salesforce, provide business-critical functionality for Sales, Sales Operations, Customer Service, and Marketing. In order to support these business units, CRM services frequently contain sensitive or confidential customer information including PII, financial data, or PHI. While popular CRM platforms such as Salesforce have industry-leading security capabilities, organizations must ensure that their valuable data is protected and that the use of their CRM service is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.
Enterprises must not rely solely on the security capabilities of the CRM service itself, as users may not always be using cloud products in ways that meet your security, compliance, and governance requirements. For example, users may be storing sensitive data such as payment card data and protected health data in Salesforce as part of their normal workflow outside of policy, putting the organization at risk of compliance violations. Or, consider the example of a salesperson that downloads all the company’s opportunities before leaving to join a competitor. Below are key questions related to CRM services that IT Security should be able to answer:
VISIBILITY •
•
How many instances of Salesforce, or other CRM applications, are we running? Which users and groups are using which products, and where is sensitive data stored?
COMPLIANCE •
•
Which types of sensitive data are uploaded into our CRM service in customer fields or comments sections and where is it being stored? Are we in compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?
CRM is expected to grow to a $36.5 billion market worldwide within the next three years.
THREAT DETECTION •
•
Are there behavior anomalies, such as a salesperson downloading more data than usual, that indicate an insider threat? Are there behavioral anomalies, such as a salesperson logging in from Boston and Bangkok within the same hour, that indicate a compromised identity?
DATA SECURITY •
•
Which devices and geographies are employees accessing CRM services from? How can I encrypt or tokenize data while maintaining important functionalities like search, sort and order?
Gartner
17 KEY REQUIREMENTS FOR ENABLING SECURE AND
COMPLIANT CRM USAGE:
1
Usage analytics across all CRM services for both individuals and business units
10
Academia- and peer-reviewed encryption schemes
2
Ability to identify redundant CRM services and coach users over to standardized services
11
Ability to substitute sensitive data with randomly generated tokens (tokenization) to keep data on-premise and satisfy data residency requirements
3
Ability to identify all third-party applications accessing CRM services and their data
12
Ability to manage encryption keys via integration with key management servers supporting the KMIP protocol
4
Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads, views, edits, and deletes
13
Behavioral modeling of normal user and admin activity within the CRM services
5
Ability to identify sensitive data subject to compliance requirements or security policies
14
Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat
6
Ability to enforce DLP policies and support several actions, including alerting and blocking
15
Integration with SIEMs for incident response remediation
7
Ability to extend existing on-premise DLP policies from on-premise systems and provide integration and closedloop remediation
16
Integration with SAML v2 compatible single sign-on services
8
Ability to encrypt structured and unstructured data with standards-based AES or function-preserving encryption using enterprise-owned encryption keys
17
Ability to deploy in the cloud, on-premise as a virtual appliance, or in a hybrid architecture
9
Ability to apply encryption while preserving enduser functions such as search, sort, and format
CHAPTER 8
File-Sharing and Collaboration KEY STAT: 22% OF FILES UPLOADED TO FILE-SHARING CLOUD SERVICES CONTAIN
SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION OR PHI ,
File-sharing and collaboration services like 0ffice 365, Box, Dropbox, Google Drive, and Jive are incredibly popular. The average company uses 27 file-sharing services and 45 collaboration services today, which may actually impede collaboration.17 The security controls of file-sharing and collaboration services can vary widely, so organizations must also evaluate the services to understand the risk they present to the organization. Some services claim ownership of your data, don’t encrypt data at rest, or permit anonymous use, making them unsuited for enterprise use.
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
17
The average company uses 27 different filesharing services, inhibiting collaboration and creating risk.
Q4 2014 Cloud Adoption and Risk Report
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
In addition to the security risk, companies must evaluate the compliance risk as well. 22% of files uploaded to file-sharing cloud service contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; or PHI (protected health information) such as medical record number or health plan beneficiary number. Organizations must ensure that their valuable data is protected and that the use of file-sharing and collaboration services is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.
Additionally, many cloud services offer more than just file syncing across devices; they’re platforms for collaborating with other people. No matter how secure a cloud provider is, end users can always use their service in risky ways. Naturally, users share files with other people at their companies, but files are also frequently shared via public links, which can be accessed by anyone without restriction.
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Files are frequently shared via public links, which can be accessed by anyone without restriction.
In fact, 11% of all documents shared via file-sharing services were shared outside the company. The majority of these external collaborators turned out to be business partners, but 18% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.18 Organizations must ensure that their governance policies, dictating who has access to services and their data, are enforced. Below are key questions related to file-sharing and collaboration that IT Security should be able to answer:
VISIBILITY •
•
How many file-sharing and collaboration services are we using, and what is the risk of each? Which types of sensitive data are uploaded into our file-sharing and collaborations services and where is it being stored?
COMPLIANCE •
Are we in compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?
THREAT DETECTION •
•
•
18
Which data loss prevention policies for which services do I need to implement to ensure compliance with industry regulations moving forward? Are our cloud DLP policies perfectly aligned with the DLP policies we enforce on-premise?
Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014
Are there behavioral anomalies, such as repeated logins from an unusual geography, that indicate a compromised identity?
DATA SECURITY •
•
•
Are there behavioral anomalies, such as excessive downloads of confidential information, that indicate an insider threat?
Which devices and geographies are employees accessing file-sharing and collaboration services from? How do we see what data is shared publicly now, and how do we restrict collaboration to verified business email accounts?
18% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.
Q4 Cloud Adoption and Risk Report
18 KEY REQUIREMENTS FOR ENABLING SECURE AND
COMPLIANT FILE-SHARING AND COLLABORATION USAGE:
1
Usage analytics across all file-sharing and collaboration services for both individuals and business units
10
Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat
2
Ability to identify redundant file-sharing and collaboration services and coach users over to standardized low-risk services
3
Ability to identify all third party application accessing file-sharing and collaboration services and their data
12
Ability to identify all externally shared data and view sharing permission details
4
Detailed activity monitoring of all user, admin, and thirdparty application activities including uploads, downloads, views, edits, and deletes
13
Ability to enforce external sharing policies based on domain whitelist/blacklist and content
5
Ability to identify sensitive data subject to compliance requirements or security policies
14
Ability to coach users on acceptable use when in violation of security, compliance, and governance policies
6
Ability to enforce DLP policies and support several actions, including alerting, blocking, tombstoning, and quarantining.
15
Integration with SAML v2 compatible single sign-on services
7
Out-of-the-box DLP templates for all major verticals and regulations to help identify sensitive content.
16
Ability to encrypt data with peer- and academia-reviewed encryption schemes
8
Ability to extend existing on-premise DLP policies from on-premise systems and provide integration and closed-loop remediation
17
Ability to manage encryption keys via integration with key management servers supporting the KMIP protocol
9
Behavioral modeling of normal user and admin activity within the file-sharing and collaboration services
18
Ability to deploy in the cloud, on-premise as a virtual appliance, or in a hybrid architecture
11
Integration with SIEMS for incident response remediation
CHAPTER 9
What is a CASB? KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE
THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)
With cloud adoption accelerating every year, enterprise IT is looking for ways to partner with the business to enable secure utilization of the cloud. Increasingly, these enterprises are turning to a new breed of technology, referred to by Gartner as “Cloud Access Security Brokers” (CASB), in order to do this. Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud Access Security Broker category in May 2012 in their report “The Growing Importance of Cloud Security Brokers." Other firms, such as Forrester, Securosis, and 451 Research have defined similar categories, alternatively referring to the technology as Cloud Security Gateways and Cloud Access Controllers. Since then, Gartner has elevated the importance of CASB and now lists it as #1 in the top ten technologies for information security.19 ,
19
http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014
Cloud Access Security Brokers are on-premise or cloud-hosted software that acts as a control point to secure cloud services. They generally offer a range of capabilities including visibility, encryption, auditing, data loss prevention (DLP), access control, and anomaly detection. While cloud providers individually offer some of these capabilities, many organizations are looking for consistent policy enforcement across cloud providers. Given the limited resources to operationalize a new security process with existing resources, these capabilities should ideally be delivered as part of a single solution, offering one control point. In determining whether your organization needs a CASB, Gartner provides several questions, shared below. If the answer to one or more of the questions is “no,” Gartner recommends that your organization considers investing in a CASB.
Cloud access security brokers (CASBs) are on-premise or cloudbased security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.
Gartner
10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS
A CASB, FROM “MIND THE SAAS SECURITY GAPS”:
1
Can I identify all of the cloud services employees are using and assess the risk of each service?
6
Which devices and locations are users accessing cloud services from?
7
Can I enforce contextual access policies to prevent specific devices, geographies, or IP addresses from accessing enterprise cloud services?
2
Can I identify which cloud services are housing sensitive corporate data, and how much data is in each service?
3
Can I identify which users are sharing data, what data they are sharing, and with whom?
8
Can I proactively recommend enterprise-ready cloud services to employees or business units in need of specific capabilities or categories of cloud services?
4
Does the data being shared contain sensitive information such as PII, PHI, or financial data?
9
Can I detect compromised cloud service accounts and prevent malicious behavior?
5
Can I enforce encryption, tokenization, or redaction to protect sensitive data?
10
Can I offer specific security capabilities such as encryption or data loss prevention for cloud services that don’t have those capabilities built in?20
A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud service. This enables IT to securely enable the use of cloud services within their organizations without compromising compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity of securing data in the cloud.
Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014
20
CHAPTER 10
Quantifying the Value of a Cloud Access Security Broker
KEY STAT: ORGANIZATIONS USING SKYHIGH TO MANAGE BOTH SHADOW IT AND
SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97% A Cloud Access Security Broker can provide value across two axes: cost savings and risk reduction. Within cost saving there are six primary areas of cost reduction: 1.
Reduction in manual efforts required to analyze log data for cloud visibility
2.
Streamlined security assessments for cloud services
3. Elimination of unapproved IaaS usage
4. Subscription consolidation 5.
Elimination of orphaned subscriptions
6. Accelerated response to breaches and vulnerabilities
Below is a chart depicting the average hard-dollar cost savings across these six categories. Summing the savings, we see that the average organization saved $1,514,251 annually by managing their shadow IT and sanctioned IT usage with Skyhigh, a leading cloud access security broker.21
$530,001
Average Reported Savings in Each Savings Category $266,000 $36,800
$186,250 $276,000 $219,200
Average expected cost savings across ten customers, broken down by savings category
Quantifying the value of a Cloud Access Security Broker
21
Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014
$1,514,251
In addition to cost savings, cloud access security brokers can also mitigate risk in the enterprise. Risk mitigation from the use of a CASB is typically comprised by the following four factors: 1.
Reduction in data lost due to the use of high-risk services
3.
Reduction in data lost due to insider threats
2.
Reduction in data lost due to security breaches
4. Reduction in risk of a compliance violation
Below is a table quantifying some of the risk reduction metrics achieved by companies that implemented Skyhigh to manage their cloud adoption and risk. Summarizing the key findings, we see that organizations increased their use of low-risk cloud services by 83%, decreased their use of high-risk services by 50%, and decreased the volume of data sent to high-risk file-sharing services by 97%. In total, organizations that managed their Shadow IT and Sanctioned IT with Skyhigh’s CASB reduced their overall cloud risk score by 59%.22
Attribute
Before
After
Improvement
16%
8%
50%
31GB
6.7GB
79%
6
1.3
78%
16GB
.5GB
97%
Active Tracking Services
32
4
87.5%
Low-Risk Service %
12%
22%
83%
Enterprise CloudRisk Score
6.4
3.8
59%
High-Risk Service % Monthly Data Sent to High-Risk Services High-Risk File Sharing Services Monthly Data Sent to High-Risk File Sharing Services
How 200 Organizations Flipped Shadow IT from Concern to Opportunity 22
How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014
Organizations using a CASB decreased the volume of data sent to highrisk file-sharing services by 97%.
CHAPTER 11
Conclusion - Parting Guidance on Evaluating CASB Vendors
When evaluating different CASB vendors, there are several factors IT leaders must consider. In addition to understanding whether the capabilities offered match the business requirements, IT leaders must determine whether the deployment model fits with their organization. For example, organization should consider whether they want their CASB to be cloud-based or if they prefer to manage all of the infrastructure and maintenance of an on-premise solution themselves. Additionally, organizations should consider whether they are looking for a frictionless approach requiring no agents or if they would prefer a solution that installs agents or PAC files on users’ work and personal devices. Finally, organizations should consider whether the CASB vendor has supported other companies in similar verticals and of similar size. Many CASB vendors are emerging and have not yet deployed their solution at scale. This may be acceptable to a smaller organization, but this is likely to be an area of concern for a larger enterprise. To get started, Gartner offers a framework for evaluating CASB vendors organized around the types of cloud services the enterprise is aiming to enable. This framework is provided below for your reference:
SHADOW IT: •
•
•
•
Ask CASB vendors to generate a cloud visibility report with your data during the proof-of-value process. Analyze the categories and individual cloud services in use, and identify the risk associated with the service and its usage. Create a corporate policy about which cloud services to block orallow, and then determine the depth of security controls and API integrations the CASB vendor can enforce for your permitted cloud services. Select only those CASB vendors whose solution fits with your company vision on cloud and mobility.
EXISTING SANCTIONED IT SERVICES: •
•
•
Analyze the redirection methods offered by various CASB vendors, and determine if they align with your enterprise’s mobile device policy (i.e. managed devices vs. bring your own device [BYOD]). Evaluate only the CASB vendors that are the least disruptive to your current environment. Evaluate CASB vendors that can extend common security capabilities to multiple cloud services from a single management console.
61% of enterprises say that cloud security is now a board level concern.
Cloud Security Alliance