Total loss of control of the ever expanding enterprise security boundary -- #WhereDidMyDataGo
Traditionally, an organization’s systems were developed, acquired and deployed inside of the corporate security boundaries for use by employees, partners and contractors in an organized, structured way. More importantly, management of and access to those systems were governed from within the organization’s IT department. Those who attempted to install their own privately or company-acquired systems had to pass through the governance structure before given permission to deploy these systems or applications within the boundary. Since the early days of IT, this model has generally worked successfully.
Organizations have spent time and energy by providing secure business solutions to protect the company’s information by building strong security boundaries and only allowing authorized connections through those security boundaries. However, everything has changed with the emergence of mobile and cloud services. The rapid growth and acceptance of these mobile devices and cloud services has brought about a new IT delivery model to the CIO’s IT service catalog -- one of an IT Broker. This new IT model has become a huge challenge that the CIOs needs to address. This new broker model can lead to a lack of security over company sensitive information if it is not governed, secured, managed and monitored properly.
According to Netskope latest Cloud Report, a cloud app analytics and policy enforcement firm, companies are using an average of 715 different cloud applications. The same report asserts that 91.9 percent of all apps are not enterprise-ready, lacking in the areas of security, audit and certification, service-level agreement, legal, and vulnerability that enterprises require for safe enablement. The Cloud Adoption & Risk Report, Q1, 2015, released by Skyhigh Networks, a cloud visibility and enablement company, found that organizations use 923 distinct cloud services, and deemed only 9.3% meet requirements of large enterprises for data protection, identity verification, service security, business practices, and legal protection. While 91% of providers encrypt data in transit between the cloud service and end user, just 10% encrypt data stored at rest in the cloud. Only 15% support multi-factor authentication, which can reduce the impact of compromised account credentials, and only 6% are ISO 27001 certified.
Many cloud services are built and brought to market quickly to gain market share at the expense of infusing security into Cloud Service Provider’s service offerings. Often when this happens, proper attention on security is deferred to a later release. However, sometime later never comes, or comes in the form of a data breach. Unfortunately, without the basic security controls in place, you may never know if your cloud service provider was breached anyway, until the FBI comes knocking at your door.
Whether you are ready or not, the storm clouds are now home to a significant amount of your sensitive corporate data. The tectonic plates have shifted, corporations are moving from legacy systems to cloud services rapidly, with security and compliance concerns still being as high as ever. Your company information is harder to protect when moved off a local, on-premise location, to these new cloud services. So what can you do to harness the simplicity and productivity of these cloud services, while continuing to protect your data? Here are several practical activities for companies looking to safely enable cloud services:
- Discovery of existing inventory of cloud services by leveraging existing performance monitoring tools or a cloud application control solution which is tailored to work with cloud applications. In addition, look for monitoring support from cloud service providers to identify and determine the origin of suspicious cloud services activity.
- Proactive monitoring for unauthorized cloud usage, identifying changing patterns of network traffic, observing suspicious network activity traversing intrusion detection/prevention systems, or spotting shifts in demand for data storage can support the identification of suspicious cloud activities. Integrate next generation firewalls with a cloud application control solution to better monitor new cloud services.
- Establish a cloud security governance board that is responsible and accountable to shareholders, regulators and customers for the cloud framework of policies, standards, guidelines and processes that together, ensure the organization benefits securely from Cloud computing. Leverage existing cloud security governance best practices from Cloud Security Alliance, ISACA, FedRAMP, etc
- Establish a set of cloud security controls that provides information security controls designed specifically for cloud services providers, and which you can perform a security audit. Leverage existing cloud security control frameworks from Cloud Security Alliance, ISACA, FedRAMP, etc
- Secure the cloud ecosystem by focusing on the entire ecosystem with an emphases on the following integrated technologies and processes:
- Identity and Access Management (IdAM) – Integrate Cloud IdAM into existing corporate IdAM solutions and processes. Require Multi-Factor Authentication for access outside of the cooperate network. Take a look a cloud IdAM providers as well, such as OKTA, Duo Security, Sailpoint, etc.
- Cloud Data Leak Prevention (DLP) -- Integrate Cloud DLP services into existing corporate DLP solutions and processes. This will allow organizations to gain a comprehensive view of the various file-sharing applications in use within the organization, including data movements to and from the cloud, and user actions taken with regard to sensitive data. Leverage cloud friendly DLP/Monitoring solutions such as AlienVault, Netskope, Skyhigh Networks, etc.
- Data Privacy -- Encryption for data at rest and data in motion. Encrypt your data before it is sent to the cloud. Gain control for key management, encryption, policy management, and data governance for data in the cloud. Leverage cloud friendly Data Privacy solutions such as Netskope, Skyhigh Networks, etc.
- Monitoring and Detection -- You can’t control what you can’t see. Organizations should also monitor activity within these cloud services – access, uploads, downloads, shares, data audit logs, etc – to develop a view of the risks posed. Establish cloud log management and alert services. Leverage cloud friendly Monitoring and Detection solutions such as AlienVault.
- Incident Response – Integrate into existing Incident Response Processes and Planning exercises. Leverage a cloud friendly IR Team who brings all of the solutions and skills together to protect your data no matter where it is located.
The past few years have marked a major shift in IT’s role, from service provider to service broker. However, security, privacy and compliance are still imperatives for organizations, and that’s why they need to be high priorities for the cloud service provider as well. You need more than an engine light to come on to tell you there is something wrong. You need to be able to control and provide transparency to secure your sensitive information as you take full advantage of the cloud.
Contact us for a free readiness review.