The Consumerization of IT, BYOC, and the (New) Role of IT

September 11, 2013 | Leave a Comment

Nicholas G Carr

9 September 2013

Author: Brandon Cook

It has been a decade since Nicolas Carr published his controversial essay “IT Doesn’t Matter” in the Harvard Business Review. Back then, he claimed that companies weren’t really getting a competitive advantage from the technology advances – the bits and bytes – of hardware and software. Carr argued that IT infrastructure was becoming commoditized, and it was the business strategies using that technology rather than the technology itself that would give companies their competitive advantages.

Ten years later, Carr’s ideas really have become a reality. Now we are in the era of the consumerization of IT and Bring Your Own Cloud (BYOC), where individual workers and business departments rent hardware and software—the virtual machines, the applications, the storage capacity, the big data processing capacity, and so on. Often, they make these choices without IT’s knowledge or approval.

This shift from “own the infrastructure” to “rent the applications” leads to the next question: What is the role of the IT department now? If we no longer need this group to select, install and maintain the latest model server, do they still play a strategic role in the enteprise?

I’d like to share a real-world story that demonstrates that IT departments do have an important and significant role in the BYOC era. Not only does IT have the critical responsibility for protecting corporate data as it moves to the cloud and from the cloud, but this group also makes certain that the right cloud services are being used, in the right way (meeting company policies) and in a productive and cost-efficient manner.

Leveraging Skyhigh, one Fortune 100 company’s IT department gained visibility into the use of public cloud storage services by the company. On average, a company uses 19 different cloud storage services and this particular company was no different. Of course some services are more popular than others with workers, and the company ranked its top 5 cloud storage services by number of users:

  1. Dropbox
  2. Google Drive
  3. SkyDrive
  4. SugarSync
  5. Box

With 19 different services in use, how can employees effectively collaborate and share their work? The IT team polled employees and found they were struggling with managing multiple file sharing services and would prefer having one corporate standard.

Skyhigh analysis of their cloud storage use gave them necessary insight to understand which services were actively being used, by how many users, how frequently, for how much data and which ones people had signed up for but used less often.   The usage ranking was:

  1. Box
  2. SugarSync
  3. Dropbox
  4. Google Drive
  5. SkyDrive

The data revealed that Box was used most often. And Skyhigh’sCloudRegistry showed that Box was also the lowest risk service. Armed with this data, IT negotiated a corporate-wide deal with Box and set this as the company standard for public cloud storage services. An IT manager at the company told me, “By leveraging Skyhigh data, we are able to look through the landscape of file sharing services and understand employee usage. This presents a clearer and accurate picture, giving us a better context for decision-making that supports our employees.”

If you’d like to take a look at the file sharing services in use at your organization to understand the risk profile for each service and the usage beyond “user count”, schedule a free file sharing cloud assessment with Skyhigh(note: assessment results returned in 12 – 24hrs.).

And…if you attend Boxworks next week, make sure to ask Nicolas Carr, who’s speaking at the event, for his take on the role of IT in the BYOC era.


Beyond Encryption: The 5 Pillars of Cloud Data Security

September 3, 2013 | Leave a Comment

Author: Kamal Shah, Skyhigh Networks
Given the recent influx of cyber-security attacks and the hubbub about the National Security Agency’s PRISM program, there is lot of talk about the importance of encryption to protect corporate data in the cloud. (PRISM is a clandestine data mining operation authorized by the U.S. government in which data stored or passing over the Internet can be collected without the owner’s knowledge or consent.)

While it’s true that encryption helps to keep data private, encryption is just 1 of 5 capabilities needed to completely secure corporate data in the cloud. Allow me to use an analogy in the physical world to explain what I mean.

Banks are an ideal example of the use of layers of security to protect important assets. A bank branch has a vault in which it stores cash and other valuables. Having a vault is essential, but on its own it’s not enough to fully protect the riches within.

The bank also has policies to guide who can access the vault; what identification methods are required to verify that an employee or customer has the right to access the vault; the hours when the vault can be legitimately accessed; and so on.

The bank also needs surveillance cameras so that in event of a breach, the authorities can play back the recording to understand exactly what happened, and when. Stationed near the vault, the bank has a security guard for additional protection against threats and to deter thieves. And finally, the bank employs armored vans to move cash around from the bank to stores, to off-premise ATMs, and to other banks.

Similarly, when we talk about protecting corporate data in the cloud, you need more than just a point encryption solution; you need comprehensive approach to cloud data security.

Let’s start with encryption—a technology that has been around for decades but is now more important than ever as threats from all angles are increasing. The encryption solution you use on your data needs to be standards-based and it must support both structured and unstructured data. For structured data, the encryption technology must not break any application functionality (such as searching or sorting). This latter requirement is quite important; if you can’t search on data in comments field in because it is obscured through encryption, you’ve defeated the value of using the application.

So encryption is 1 of 5 critical security capabilities. What are the other 4?

You need contextual access control so you can ensure secure access to the data based on who the users are, what devices they are using, and what geographic locations they are in.

You need application auditing so you can identify who has accessed which data and alert based on anomalous use. This is critical as most SaaS applications don’t provide audit trail of “read” operations to understand what exactly happened when an incident occurred.

You need data loss prevention to make sure that PII and PHI data is not moving to or through the cloud in the clear in violation of PCI, HIPAA and HITECH regulations.

And finally, you need the ability to easily but consistently enforce these policies for cloud-to-cloud use cases.

This last need is an up-and-coming requirement that companies are just beginning to realize, but it will grow more important as companies use more cloud-based applications. Let me give you an example.

Let’s say a company uses Jive for business social and Box for cloud storage of documents posted in Jive. When Jason, an employee in my Sales department, posts a blog post on a competitor with a detailed attachment, Jive automatically stores the document in Box. In this cloud-to-cloud scenario, I need to make sure that my security, compliance and governance policies are consistently enforced across both, Jive and Box.

Encryption as a means of data security is a good start, but not sufficient. Make sure you bolster it with the other critical security capabilities for a more complete cloud data security strategy. To learn more check out our Beyond Encryption Slideshare.


Windows Azure Leads Way with SOC 2 + CSA CCM Attestation

August 22, 2013 | Leave a Comment

by John Howie, COO, Cloud Security Alliance

This week Microsoft announced that Windows Azure had completed an assessment against the Cloud Security Alliance Level 2 Cloud Control Matrix as part of its Service Organization Control (SOC) 2 Type II audit conducted by Deloitte. This combined approach was recommended by the American Institute of CPAs (AICPA) and published in a position paper released with the Cloud Security Alliance (CSA) earlier this year, as part of our guidance on selecting the most appropriate reporting standard.

The guidance reflects the Cloud Security Alliance’s view that for most cloud providers, a SOC 2 Type II attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services.

We would like to congratulate Microsoft for their continued leadership in being the first cloud provider to produce a SOC 2 report with CCM included as recommended by the AICPA and the CSA.  Customers of Windows Azure will benefit from the comprehensive review of the company’s cloud controls in critical areas such as confidentiality, availability, and privacy.

We strongly encourage other providers to follow Microsoft’s lead by doing the same, as it will work to strengthen and preserve the confidentiality and privacy of data in the cloud for us all.

Visit the Windows Azure Security blog to learn more.

Just What the Doctor Ordered: A Prescription for Cloud Data Security for Healthcare Service Providers

August 14, 2013 | Leave a Comment

by Kamal Shah, VP, Products and Marketing at Skyhigh Networks

Cloud services are here to stay, and practically everybody is embracing them. In fact, the cloud computing industry is growing at the torrid pace of nearly 30% per year right now, according to Pike Research.

Certainly healthcare service providers are getting on the cloud services bandwagon, either by choice or by decree. As reported in Forbes, the Health Insurance Portability and Accountability Act (HIPAA) omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate that everyone in the healthcare industry must migrate their patient records and other data to the cloud. This is to facilitate medical professionals’ authorized access to electronic health records (EHRs) to improve patient care and reduce costs.

At the same time, healthcare organizations have an obligation to make sure that their use of cloud services is secure and that personal health information (PHI) is fully protected. The risks are huge if they don’t get this right. Any exposure of PHI is deemed a violation of HIPAA compliance, which can lead to steep fines and other costs for the healthcare service provider, not to mention the loss of trust and confidence of its patients.

Even the best of intentions can backfire on healthcare organizations. PHI doesn’t necessarily have to be lost or stolen in order to violate HIPAA’s letter of the law. The Oregon Health & Science University was recently cited for using an unsecured cloud platform to maintain a spreadsheet containingsensitive patient data. The intent was to make it easier to share accurate information about patients among the healthcare professionals involved in their care.

Unfortunately the university didn’t have a contractual agreement to use the cloud service and the privacy and security of the patient data could not be absolutely assured. Although officials don’t believe the incident will lead to identity theft or financial harm, the university is notifying affected patients as a matter of caution.

So, what’s the prescription for hospitals and other providers to reduce their risk when using cloud services? Security experts recommend a three-step process to facilitate cloud data protection:

  • First, get an understanding of all the cloud services already in use by the organization. There’s probably a lot of unofficial “shadow use” of services that company officials aren’t aware of and that may put the organization at risk.
  • Next, leverage all the innovation in big data analytics to understand this usage and to ensure that the organization’s policies are consistently enforced.
  • And finally, for the recommended cloud services, secure the data in the cloud through contextual access controls based on user, device and location, encryption, and data loss prevention.

Read how one leading hospital put this framework to use and successfully reduced the risk of cloud services.

You can Benefit from the Cloud: Choose based on Class of Service

July 10, 2013 | Leave a Comment

In my last blog, I had promised a deeper dive into Choosing a Cloud provider based on Class of Service.

It is a very timely topic. In one of very many recent articles on cloud security, Avoiding cloud security pitfalls Telstra enterprise and infrastructure services IT director Lalitha Biddulph advises “A lot of cloud services are proprietary and once you move your data in there, you may have given away your right to shift data by choosing to use a particular service.”

Without a doubt this is an area of risk to be balanced when making decisions about which key vendors to use when you consider public cloud usages across SaaS, PaaS and IaaS models. It is also an area of opportunity where organizations can draw up distinct SLAs around their rights with their data and ensure that the SLAs are properly drawn up, communicated and agreed to by all parties prior to moving data across.

Over the last couple of years we have seen remarkable strides forward with cloud providers becoming much more diligent in not only improving levels of security for hosted email, customer relationship management and vertically-focused applications, but also with IaaS providers becoming much more flexible in conditions around SLAs and reporting.

I continue to feel greatly encouraged by the work that the Cloud Security Alliance is doing and it is why I invest my time in their activities. I believe that they have the power with their wealth of resource and broad industry participation to continue to educate the industry and move us forward with ideal frameworks based on consensus.

While I think caution should be urged and organizations should be in no doubt about the risks that their data can be exposed to in cloud models, this should also be balanced with the economic advantages. Added, to that, cloud models have matured for the types of services I have mentioned above and others – that too should be taken into consideration along with a robust set of security controls.
Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

IT Opportunities Surrounding Shadow IT

June 27, 2013 | Leave a Comment

By Kamal Shah

Skyhigh Networks VP of Products and Marketing


The magnitude of Shadow IT is significant and growing.Gartner has predicted that a full 35 percent of IT spending will take place outside of IT by 2015 – just 18 months away. By the end of the decade, that figure will hit 90 percent.


CIOs, CISOsand members of an organization’s Security and IT teams have a difficult time getting a handle on Shadow IT, and just how many cloud services are in use by the employees in their organization.In our experience they typically estimate somewhere between 25-30 services in use, but in reality we see that there are usually between 300-400 services, 11x more than IT was aware of.


When the IT and Security teams come to realize the sheer volume of cloud services in use, the massive size of Shadow IT, and the magnitude of cloud data security risk due to Shadow IT, it’s always a real eye opener.  The vast number of cloud services running speaks to several exploding trends – cloud computing, bring your own device (BYOD) orbring your own cloud (BYOC), and consumerization of IT.


Specifically, the rapid shift from on-premise business applications to cloud-based SaaS applications has enabled any employee with a credit card and an Internet connection to become an IT manager and deploy their own Shadow IT applications without notifying IT.


These three forcing trends are not going away.  In fact, these trends are expanding broadly, fueled by the growing consensus that use of cloud services results in higher productivity. A recent survey of IT decision makers found that 72 percent suspected that Shadow IT was beneficial and made it easier for employees to do their jobs. However, Shadow IT also creates clear cloud data security and cloud compliance risks.  It is unclear how safe data is within these cloud services, and there is no guarantee what security measures the providers put in place.  The breach of Evernote is a good example, and was eye-opening for the industry.  These service providers are focused on the instant delivery of cloud applications, not security.  If a giant company such as LinkedIn is at risk, how susceptible are the small SaaS providers employees are using without their IT department’s knowledge or safeguards.


The good news is that most IT teams want to constructively address the Shadow IT phenomena and believe that there is a happy medium that balances cloud services agility and cloud security.ITwants to help their business counterparts accelerate the safe adoption of cloud services while protecting corporate data.There are a number of approaches for discovering and studying Shadow IT, such as using a cloud-based solution that analyzes firewall logs in a non-intrusive and real-time manner.  The most popular approaches take it a step further and identify the risks of cloud services, as not all SaaS applications employees are using are unsafe.


Take the time to learn about these approaches, and find the one that works best for your organization.  Like most cloud services, organizations should be able to use these solutions in a matter of minutes and immediately help IT organizations shine a light on Shadow IT for safer and more productive cloud services usage.



Why the Cloud Cannot be treated as a One-size-fits-all when it comes to Security

June 24, 2013 | Leave a Comment

Despite the fact that cloud providers have long since differentiated themselves on very distinct offerings based on cloud platform type, I often see the cloud written about as though it is a single, uniformservice. And, the problem with that is while there are commonalities, it is downright misleading especially as so much is misunderstood around what’s required to secure cloud-based services and the risks that are involved. Today there are three classes of service, Software as a Service (SaaS) where the provider hosts software-based services and the consumer accesses via a web interface, Platform as Service (PaaS) that developers mostly use to developsoftware-based offerings, and Infrastructure as a Service (IaaS) where consumers can “rent” infrastructure to host their own services.

When I speak with customers I recommend they consider cloud offerings in the light of classes of services they need, the types of data they will need to expose, their regulatory compliance needs and the reputation and flexibility of the service providers they are looking to leverage. Because, even within the classes of service I mentioned above there are distinct variances.

Choosing a cloud provider based on class of service

Over the last five years in particular the industry has benefitted from broad based adoption of SaaS particularly for customer relationship management, payroll and document collaboration to name a few. But, cloud providers in this space range from those with established practices and who have robust data handling and hygiene practices that are well documented to emerging players. The same goes for PaaS and IaaS. Over the last couple of years some IaaS providers have developed tailored offerings to suit particular verticals such as government, retail and healthcare. Today, the industry is still very much lacking from standard definitions and templates for SLA. And with each different class of service, there are different security requirements too, ranging from SaaS where the consumer has no ability to push security controls down to the provider’s environment to IaaS where typically the consumer is responsible for securing the virtual machines that they might “rent” from a provider. This is where leveraging the freely available resources from the Cloud Security Alliance Trust and Assurance Registry (STAR) an initiative that encourages transparency of security practices within cloud providers, is incredibly valuable.

Data Security According to Data Type

Data, too, is not created equal. Consumers of different cloud services need to consider the data that entrust in the hands of a SaaS provider from a sensitivity level as well as any exposure that may result from a potential data breach. This concern may be a little different with IaaS where a consumer potentially has the opportunity to addmore safeguards such as encryption, file monitoring and other security controls at the virtual machines level that may help mitigate some of the risks. I have seen some excellent security implementations around some vertical stack models that some IaaS providers have developed for government, retail, healthcare and now expanding to more verticals. However, there are issues such as data residency, data handling and monitoring at the network and overall host level that still need to be considered and carefully thought out.

Regulatory Compliance Needs

Some years back the security industry had been focused around the idea of audit and compliance fatigue – this the idea that many enterprises today can be dealing with in excess of fifty mandates pending whom they do business with and their geographic span and the amount of often manual audit data collection. Since then, there has been some automation of IT audit practices but it still remains a time consuming practices for most organizations. There are over 4000 mandates today, which the Unified Compliance Framework has done an amazing job of tracking and cross mapping for many years and as always more government and data privacy mandates in the works. The Cloud Security Alliance Cloud Controls Matrix also cross walks several standards but further categorizes controls according to platform, recognizing that different models require different controls. It is ideal for those looking to learn about how to evolve their controls to map to different models and who want to avoid the audit fatigue syndrome through the concept of audit once, report many times.

Over the next few weeks I will drill down into each of the above areas. In the meantime, if you have any questions or wish to discuss any of the above further, please contact me at [email protected]

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

CSA Releases the Expanded Top Ten Big Data Security & Privacy Challenges

June 17, 2013 | Leave a Comment

Big Data remains one of the most talked about technology trends in 2013. But lost among all the excitement about the potential of Big Data are the very real security and privacy challenges that threaten to slow this momentum.

Security and privacy issues are magnified by the three V’s of big data: Velocity, Volume, and Variety. These factors include variables such as large-scale cloud infrastructures, diversity of data sources and formats, streaming nature of data acquisition and the increasingly high volume of inter-cloud migrations. Consequently, traditional security mechanisms, which are tailored to securing small-scale static (as opposed to streaming) data, often fall short.

The CSA’s Big Data Working Group followed a three-step process to arrive at top security and privacy challenges presented by Big Data:

  1. Interviewed CSA members and surveyed security-practitioner oriented trade journals to draft an initial list of high priority security and privacy problems
  2. Studied published solutions.
  3. Characterized a problem as a challenge if the proposed solution does not cover the problem scenarios.

Following this exercise, the Working Group researchers compiled their list of the Top 10 challenges, which are as follows:

  1. Secure computations in distributed programming frameworks
  2. Security best practices for non-relational data stores
  3. Secure data storage and transactions logs
  4. End-point input validation/filtering
  5. Real-Time Security Monitoring
  6. Scalable and composable privacy-preserving data mining and analytics
  7. Cryptographically enforced data centric security
  8. Granular access control
  9. Granular audits
  10. Data Provenance

The Expanded Top 10 Big Data challenges has evolved from the initial list of challenges presented at CSA Congress to an expanded version that addresses three new distinct issues:

  1. Modeling: formalizing a threat model that covers most of the cyber-attack or data-leakage scenarios
  2. Analysis: finding tractable solutions based on the threat model
  3. Implementation: implanting the solution in existing infrastructures

The full report explores each one of these challenges in depth, including an overview of the various use casesfor each challenge.

The challenges themselves can be organized into four distinct aspects of the Big Data ecosystem as follows:

big data1

The objective of highlighting these challenges is to bring renewed focus on fortifying big data infrastructures. The Expanded Top 10 Big Data Security Challenges report can be downloaded in its entirety here.




Leveraging Intel from Hackers to Mitigate Risks

June 14, 2013 | Leave a Comment

Authored by Robert Hansen

Know your enemy and know yourself and you can fight a hundred battles without disaster.” – Sun Tzu

A few weeks ago, I interviewed “Adam” a self-described ‘blackhat’ hacker about why he started hacking, what motivates him and others in the underground community and why he has decided to change his ways. What was revealed in this interview (which was published in full in a three-part series on the WhiteHat Security blog) hopefully sheds light on how other blackhats like “Adam” think and how they communicate. From this we in the security industry can devise better solutions, abandon failed technologies, and fix the most glaring issues. A great deal can be unearthed by examining Adam’s words and those of other attackers like him.

For example, Adam shared insights into some web vulnerabilities that are the most used by the attacker community, among them XSS and SQL injection, and his belief that SQL injections are the vulnerabilities that should be fixed first because they are most heavily used. Adam also shares the characteristics that he thinks make up a “good” web application vulnerability: that it is fast to exploit, persistent, gives root/full access as well allows the ability to deface/redirect sites, or wipe IP logs completely. When it comes to lists like the recently announced OWASP Top 10 for 2013, Adam downplays their importance as a “best practice” because they are never up to date or comprehensive – i.e. clickjacking and DoS/DDoS are not on the OWASP list yet extremely useful to attackers – and serve only as a good measure for prioritization.

While some IT security professionals shy away from listening to anything from the dark side, much can be learned from knowing your adversary and what makes them tick. From this conversation with Adam alone we are able to better ascertain how to first prioritize testing and finding vulnerabilities and then prioritize mitigating and fixing them.

To take this conversation one step further, I will be co-hosting a webinar on June 20 that delves further into some of the lessons we can learn from our adversaries in the ‘blackhat’ community and how we can better leverage this intel for tracking attacks and deploying the right protection strategies.

About Robert Hansen

Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He’s the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored “XSS Exploits” by Syngress publishing and wrote the eBook, “Detecting Malice.” Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better.

Cloud Trust Study: Security, Privacy and Reliability in the cloud get high marks with U.S. small to mid-sized businesses

June 11, 2013 | Leave a Comment

Comscore and Microsoft recently commissioned a study to get a pulse on what small to mid-sized businesses (SMB) think about the cloud in terms of security, privacy and reliability.

The results tell us that there’s a gap between the perceptions of those not using the cloud, with the real experiences of those using one or more cloud service.

For detailed result from four geographies (France, Germany, the U.K. and the U.S.), check out Adrienne Hall’s post here.