When Sharing Goes Bad

By Krishna Narayanaswamy, Chief Scientist, NetskopeNetskope Cloud Report - 3 for 1 sharing

Among the many benefits cloud apps bring is the ability to collaborate. Key to collaboration is sharing data, findings, reports, videos, and other information assets. Whether you’re sharing the latest sales presentation, a link to a customer video, or a win/loss report in a data and analysis app, you’re moving your business ahead by making information transparent and getting your team on the same page.

Every quarter, we release a look-back at anonymized, aggregated data across tens of billions of transactions from millions of users in our Netskope Cloud Report. A key theme that emerged this quarter is the activity of sharing.

Typically when people think about sharing, what comes to mind is sharing documents like contracts, videos, and Power Points within a cloud storage app like Box, Dropbox, or OneDrive. It is that. In fact, within the cloud storage category, there are 3 shares for every 1 upload.

Even more interesting is the fact that sharing is alive and well in nearly every type of cloud app, not just in cloud storage. In the Netskope Active Platform, we analyze 55 different cloud app categories, from customer relationship management to finance and accounting to human resources to supply chain management. We noticed that people share from cloud apps in 49 of those categories. More than one out of every five cloud apps enable sharing. Three popular non-storage apps that enable sharing include financial and human resources app, Workday, project management app, Trello, and productivity app, Evernote.

Why should you care? Well, if you’re an IT or security leader, you probably care an awful lot about your organization’s sensitive data. If people are sharing content in the apps in your environment, you need to know about it. Sharing can be very benign or very risky, depending on content and context. It can range from a user sharing pictures from a company picnic to an “insider” sharing non-public financial results with investors, an engineer sharing top secret product designs with collaborators outside of the company, or an executive inadvertently sharing the company’s acquisition plans with an unauthorized party.

Our advice is to discover your apps and understand which ones enable sharing. Then look at their risk. The Cloud Security Alliance has a fantastic way of looking at this with their Cloud Controls Matrix (in fact, they just came out with a new version of the matrix, you can find it here and STAR rating system. Then look at the data and sharing patterns. Have a conversation with your business leaders and users so they understand what’s going on and what the risks are. And then triage the riskiest areas first and decide what to do. Maybe the right thing is to set a policy addressing sharing (e.g., no sharing outside of the company if you’re in the “insiders” group in your enterprise directory). Or if policy enforcement isn’t in your company culture, having an informed conversation is the best choice.

Either way you slice it, having the intelligence at your fingertips is the best way to start. Know what apps you have, what their risk profile is, which enable sharing, who’s sharing, what they’re sharing, and who they’re sharing with.


By Brandon Cook, Director of Product Marketing, Skyhigh Networks

Photo of Jeff Blair
We are thrilled to feature a Q+A session with Jeff Blair, CISO of Creative Artists Agency (CAA) in this month’s installment of the Cloud Security Innovators blog series. Jeff works for CAA, which represents the world’s biggest athletes and movie stars.  In this fast-paced and creative environment, Jeff is a maverick, helping lead the movement to the cloud with an innovative approach to securing cloud data and systems.

Q. How do you view the cloud? Friend? Foe? Necessary evil?
A. For us, the cloud is certainly a friend. That friendship helps to make us a better IT department and a better organization overall, but you have to build and validate the trust given to service providers over time.

Q. Are there any advantages to using cloud apps as it relates to security?
A. Advantages start with the level of trust you have in your providers. There’s a foundation of infrastructure comprising hardware and network services that you’re going to be completely abstracted from. Once you’ve established that trust, you see advantages with APIs and access to logging information that previously wasn’t easy to get from on premise solutions.

Q. It was a while back but still an important security event: How did your IT department respond to the Heartbleed breach?
A. Externally our exposure was limited to a few appliance servers that were quickly updated.  Our efforts primarily focused on employee education. How do we rapidly understand impact to our employees? How do we communicate to employees what is secure and what isn’t, and what are the steps they should take? We sent out an email instructing them on an approach for changing passwords and implementing two-factor authentication.  During this process we used Skyhigh to help us understand what vulnerable services were in use at the company and provide appropriate instruction to our employees on when to update their passwords.

Q. There is a lot of press around “encryption” as the silver bullet to address security issues relating to the cloud. Do you see encryption as the panacea?
A. I don’t see encryption as a silver bullet. It’s certainly one piece of the puzzle to protect your most sensitive information but usability has to improve significantly before broad adoption takes hold. Starting with a strategy of transparent encryption where keys are controlled by the enterprise is a great first step.  This keeps your IaaS provider honest, protecting in those areas where you’re abstracted from the providers’ operations.

Q. What exactly do you mean when you say “transparent encryption”?
A. The application doesn’t know about the encryption. If you’re running workloads in Amazon, Microsoft or some other Iaas, then you need to own the key that encrypts the data on those disks. If information is mishandled by the provider, we need to ensure that data isn’t accessible. There’s a lot of complexity and management overhead that comes with encryption, and the higher up in the stack you move encryption, the more likely it impacts usability of the system. Initially you want to focus at the lower layers where it’s transparent to users and the applications and as the technology matures move further up the stack to provide additional protections where needed.

Q. There’s a phrase going around in the press right now: “user-centric IT.” Your department seems very user-centric.
A. We have to be; we have seen many examples where an IT-centric approach has resulted in low adoption of our applications. Usage of these systems quickly declines following deployment and users find other ways to get their job done outside of the managed systems.  We’re not into building applications that people don’t use, and, with so much choice available today, we know employees will go around IT. Our efforts to build usage monitoring directly into our systems has allowed us to trial changes and has focused us on building features that are truly used and wanted.  This direct monitoring of application usage combined with our use of Skyhigh to highlight gaps in our application coverage have been core elements in guiding user centric IT.

Q. As you look into your crystal ball, how will cloud security evolve over the next two or three years?
A.  One of the greatest challenges around cloud right now is ensuring consistent identity. I see identity provisioning and authentication standards becoming far more solid over the next two to three years to the point where you can ensure your on premise directories and access policies are going to match up exactly with what is available in the cloud. Along with that, you will see mature, consistent APIs to allow logging data to be centralized and correlated across cloud providers. The biggest challenge today is most services provide the ability to collect usage and administrative information, but each service provides different logging APIs or forces you to access this information through their administrative portal; creating significant up front costs for integration. Increased standardization across security and identity integration models will bring us to new levels of security in the cloud in the next two to three years.

Survey Finds BYOD Devices Cluttered with Mobile Apps

By Hormazd Romer, Senior Director of Product Marketing, Accellion

Accellion-CSA-Blog-150x150How many mobile apps are installed on BYOD devices? The answer varies from employee to employee, but broadly speaking, the answer seems to be, “lots.”

IBM company Fiberlink recently surveyed mobile workers and tallied the mobiles apps installed on their devices. As reported on Dark Reading, the survey found:

  • 17% of employees have 9 or fewer apps on their devices
  • 18% have between 10 and 24 apps
  • 35% have between 25 and 49 apps
  • 25% have between 50 and 99 apps
  • 5% have 100 or more apps

Most mobile phones and tablets come with about 10 apps by default. These include an email app, a maps app, and a calendar app. Many enterprises provide their employees with additional apps, such as apps for special business functions and services, like a CRM app. Other enterprise apps might address IT security, such an app for VPN. Of apps provisioned by enterprises, 38% have been customized in-house by IT, and the rest are publically available apps that IT departments have tested and endorsed.

It’s safe to assume that those 30% of employees carrying 50 or more apps on their devices have some, if not dozens, of consumer apps that were not tested and provisioned by the IT department. These apps might include public-cloud file sharing services like Dropbox that operate outside the control of the IT department. The apps might also include games and social media apps that most likely were purchased impulsively and not evaluated for safety or stability.

These untested, unsanctioned apps pose potentially serious risks to the enterprise. Some apps may be infected with malware, which grew 167% last year. Others might be used in intentionally or accidentally to share confidential data with unauthorized users.

What’s the lesson here for enterprise IT departments and security teams?

Enterprises should adopt security models that assume that employees will install multiple unknown and untested apps on their devices. To protect business data, on-device BYOD solutions should include secure containers for data and apps, so that business data is always shielded from potential malware threats and unauthorized access. Enterprises should be able to remotely wipe the apps and data in a secure container, should a device be lost or stolen, or if an employee leaves the company.

In addition, enterprises should ensure that mobile workers can perform all their work-related tasks with apps that have been officially provisioned by the enterprise. These tasks include file sharing, ad hoc communications such as messaging, and other everyday forms of collaboration. Employees might be tempted to rely on consumer apps for these services, but consumer apps cannot be trusted to keep business data safe. By creating a “white list” app store of tested and trusted apps, enterprises can reduce the chances of employees turning to risky apps for everyday work.

By assuming that BYOD devices will mix business with pleasure, enterprise IT organizations can design and deploy mobile solutions that keep business data safe, no matter how many apps—or dozens of apps—employees have installed.


Has Cloud Adoption Plateaued?

By Brandon Cook, Director of Product Marketing, Skyhigh Networks

CARR 1 TNStatisticians are always interested when they see data that diverges from a general pattern. This is exactly what happened when we dug into the latest cloud usage data from Q2 in the recent Cloud Adoption and Risk Report (CARR).

To this point, we had seen rapid growth in the adoption of cloud services. In Q3, 2013 the average enterprise used 545 cloud services. In Q4 of that year, the number had grown to 626, and by Q1, 2014 the average enterprise was using 759 cloud services. That averages out to a quarterly compounded growth rate of 18%.

But then something strange happened – that number went down, for the first time.
Anomaly or the beginning of a trend?
Over the last quarter, the average number of cloud services used in the enterprise, actually decreased slightly from 759 to 738. With only one divergent data point it’s impossible to tell if this is an anomaly or the beginning of a trend (we’ll certainly be revisiting this next quarter to draw some conclusions here). The immediate question is – why did this happen?

3 reasons for the flattening
We are in the early innings of the movement to the cloud, so it is unlikely that this flattening is due to decreased supply or demand of cloud services. Instead, this flattening is likely the result of 3 factors:

  • We are seeing IT making a concerted effort to educate employees on the perils of high-risk cloud services in an attempt to divert usage to low-risk services
  • Many organizations are beginning to consolidate services in a particular category to not only lower cost and risk, but also to increase collaboration and productivity
  • Due to increased awareness about cloud risks, employees are using more care when dealing with corporate data.

Flattening likely a good thing
From our perspective, this flattening, due to shift to using low-risk services and consolidation of services in a category, is a good thing. Why?

The data shows that the majority of the 3,861 services found in use overall lack basic security features, putting organizations at risk.

In fact, only 9% of services used were Skyhigh Enterprise-Ready™, meaning that they fully satisfied the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection based on detailed, 50-point evaluation criteria developed in conjunction with the Cloud Security Alliance (CSA). Only 11% encrypt data at risk, only 16% provide multi-factor authentication, and only 4% are ISO 27001 certified.

To see all the data and discover more interesting facts about today’s enterprise cloud usage, download the full Q2 Cloud Adoption and Risk Report here.

Take the New Cloud Security Alliance Survey: Cloud Risks and Opportunities

By Krishna Narayanaswamy, Chief Scientist, Netskope 

The Cloud Security Alliance is conducting a survey of global IT and security professionals on their organizations’ usage of and perceived risk in enterprise cloud apps.

Netskope, along with one of our identity management partners, Okta, are sponsoring this survey because we believe it will bring to light unique and useful insights about today’s cloud risks and opportunities.

The questions we’re asking make this survey unlike other research in the industry – we’ll look at IT perceptions about sensitive content uploaded to and shared from cloud apps, as well as authentication and policy enforcement within cloud apps, and data breaches involving cloud apps.

With increasing cloud app usage and activity combined with increasing numbers of cloud vulnerabilities, these perceptions will be critical especially compared with empirical data that cloud vendors are collecting from their own practices.

You can take the CSA survey here. Participants will receive a complimentary copy of the finalized report.


By Kamal Shah, VP of Products and Marketing, Skyhigh Networks @kdshah

CAR ImageCARRQ3VerticalThumbnailIn our professional lives, we all seek to make more data-driven decisions. We know that logical choices made with complete information yield better results than those based on conjecture or suspicion. To that end, Skyhigh today released the fifth edition of our quarterly “Cloud Adoption and Risk (CAR) Report” that provides key metrics pertaining to the use of cloud in the enterprise. This report has become the de-facto data source on cloud adoption and risk for those enabling (IT), securing (Security), using (Employees), analyzing (Analysts), and covering (Journalists) cloud in the enterprise.


Cold, hard data

What makes this report unique in the industry is that it’s based on hard, empirical data from over 200 companies. Rather than relying on surveys alone that show only what people think is happening, we base our findings on actual, anonymized usage data collected from over 10.5 million employees throughout the world…and the findings are quite surprising. Check out the slideshare below for a sneak peek or download the full report.

Securing the Cloud

By Robert Clauff, Security Engineer, Solutionary

robert clauff headshot

More and more organizations are moving to the “CLOUD.” It seems as though you can’t read an article about IT or turn on the TV without seeing someting about the increasingly ubiquitous cloud. Of course, the cloud is more than just an IT buzzword, it’s an increasingly important part of IT that requires organizations to consider the security implications of “moving to the cloud.”

Moving to the cloud can benefit a lot of organizations. However, you need to know how to keep things secure while you migrate to such an environment. The term cloud is frequently thrown around in discussions; but in reality, a lot of IT professionals do not really know all the downsides of cloud migration, and security issues are often overlooked.

I keep reading and hearing statements like, “The cloud is so much easier to manage and makes your information more secure.” These types of blanket statements are just not accurate.

The cloud does mitigate some common security issues, like data resiliency and availability, as well as some physical threats. Yet, when organizations decide to migrate to the cloud there are other layers of security that they need to acknowledge, which are often ignored by companies that do not look at all of the facts.cloud-computing

The reality is that cloud computing opens up new ways in which your security can be compromised, and you have to trust your cloud provider’s security to be up to par. You can improve your overall security posture if you do not let your security posture relax, but, in fact, take this opportunity to tighten it even more. New threats can range from basic to very advanced techniques, and organizations will see some of the issues occur when trying to protect data because there are “Catch-22s.”

While data loss and data leakage are both bad, the security measures to mitigate one can exacerbate the other. I personally get an uneasy feeling about concentrations of several organizations in the same physical environment, which happens constantly in the cloud. For example, multi-tenant cloud databases which are improperly designed and flawed applications could allow a hacker to access not only the data of one client, but the host as a whole, and potentially all client data stored by the provider.

As we all know, security issues do not always originate from malicious hackers. User errors will do just as much (if not more) damage. In 2011, the EC2 cloud had data loss because of constant backups and a “re-mirroring storm,” all due to user error. Something as easy as losing encryption keys for the data can cause catastrophic damage to an environment.

We have seen an example where an attacker on a virtual machine listened for activity that signals the arrival of encryption keys from another virtual machine on the same host, using a ‘side channel timing exposure’ technique. However, as far as we know, this advanced technique has not been tied to any large breaches (yet). Cloud environments could help put a large bull’s-eye on your organization because compromising an array of cloud servers could make for one heck of a malware server farm or even a nice Denial-of-Service (DoS) attack, all in one easy shot. (Attack the cloud provider, and affect dozens or hundreds, or thousands, of clients). In fact, Solutionary Security Engineering Research Team (SERT) research has shown that leading Internet Service Providers (ISPs) and hosters are a haven for hosted malware.

Among all of the different security issues, the same “oldie but goodie” issues are still present. Account hijacking is and always will be a serious security issue due to phishing, vulnerabilities and buffer overflows. Session hijacking is just as prominent in the cloud and can lead to service hijacking while compromising the confidentiality, integrity and availability of your data. Malicious users and rogue administrators still exist, just as they always have, but there are easier ways like throwing a VM on a flash drive and walking out of the building with it.

DoS attacks are still a very real threat, even in the cloud. If your organization experiences a DoS attack, you could still be charged for resources being used while the services are unavailable. Or, if your servers are compromised at the cloud provider, you could be charged for any bandwidtch used because of a DoS attack. You can probably get those charges cancelled, but chances are you will still have to take action to do so.

A lot of these situations can be mitigated just by using security best practices and having a good sense of security from the ground up when developing your cloud infrastructure. Don’t just trust that cloud providers have a secure infrastructure. Instead, ask them what their practices are, and ensure they are supporting a secure environment. Whenever possible, include two-factor authentication and security-conscious applications when considering what you will be interfacing with.

The provider should be using security best practices, and have an effective application development security program if they are implementing applications for you. A large percentage of compromise in the cloud is due to flaws in applications or Web functionality. Be sure to do your due diligence.

Insecure Application Program Interface (API) can be your worst enemy. APIs could give anonymous users access using third-party authentication for services such as Facebook, Google and Twitter. These authentication methods are often found to be broken and vulnerable to compromise. In general, relying on third-party security practices to secure your applications is bad practice.

Dealing with IT security every day, I see how many bad situations could have been avoided if security was taken into account when the environment was built. While security best practices are a great avenue to keep your data secure, it always helps to have someone watching your back. The Cloud Security Alliance (CSA) is a great resource to have when needing answers for real-world questions.

Having a Managed Security Services Provider (MSSP) watching over your cloud environment is always a great benefit as well. As any IT professional knows, it is impossible to have eyes everywhere while tending to day-to-day operations.

I hope that after reading my little rant you will definitely do your due diligence on the cloud before jumping into something just because upper management starts throwing around buzzwords like “The All Powerful CLOUD!” Just remember that you will need real-world, information security practices, and there is never anything as easy as a special man behind a curtain to solve your problems.


By Brandon Cook, Skyhigh Networks

CloudCupImageWith the World Cup in full swing, one cannot help but compare the US to our neighbors around the world. The event begs it. We see our skills, our style, our strategy and our fans all juxtaposed with more established soccer powers from around the globe.

And, I have to admit, some things are just better in Europe: Soccer for one.  If pressed, I’ll concede fashionsports cars, and public transportation as well. But what about Cloud Security?

Privacy: Europe 1 – US 0

Given the concerns around the US Patriot Act and US government-issued blind subpoenas, there is a growing school of thought encouraging IT shops to use cloud services that are headquartered in privacy-friendly countries (i.e. EU).

Why? Well, under the US Patriot Act, US intelligence agencies are permitted to access data owned by non-US citizens stored on clouds hosted by US companies.

This perspective has been championed by European IT leaders such as John Finch, CIO of the Bank of England. He’s said, “You need to think about where Cloud companies are domiciled. Even if that well-known cloud provider says ‘don’t worry’, if they’re an American company, your data is linked to the American Patriot Act. That means if the FBI or CIA want it, they’ve got it. Think about what you’re giving and when.”

Security: US 1 – Europe 0

However, the data tells a different story. While privacy is important, one cannot ignore data security. Based on statistics from Skyhigh’s Cloud Registry, which uses a security framework developed in conjunction with the Cloud Security Alliance (CSA), 9% of cloud services headquartered in the EU are high risk, compared to only 5% of cloud services headquartered in the US. So, while EU-based cloud services provide some protection from the US Patriot Act, they do expose organizations to greater security risks.

WWJKD (What Would Jürgen Klinsmann Do)?

So, if using US providers isn’t the answer, what is? Encryption is one effective solution that is gaining traction for many cloud consumers.  It’s important that your cloud provider provide encryption for data not just in transit, but at rest as well. Equally important, especially for European customers concerned with the privacy of their data hosted by US cloud providers, is encryption key management. If your cloud provider owns the encryption keys, the US government can subpoena your cloud provider, forcing them to de-crypt and share your data. Further, they can issue a gag order to your cloud service provider so this is done without your knowledge. In order to protect your company’s security and privacy, make sure you encrypt sensitive data AND manage your own encryption keys.

For straight-shootin facts on cloud encryption and a run-down on the tradeoffs of each algorithm, check out the Cloud Encryption Cheat Sheet.

New Study Highlights the Risks of Bring Your Own Cloud

By Hormazd Romer, Senior Director, Product Marketing, Accellion

A new study by the Ponemon Institute, The Insider Threat of Bring Your Own Cloud (BYOC), analyzes the risks of enterprise employees using cloud services without the permission or oversight of the IT department—a practice that the study’s author calls “Bring Your Own Cloud (BYOC).”

The study findings highlight the risks of insiders’ accidentally or intentionally disclosing confidential data through unmonitored public clouds. Here are just some of the findings, which are based on responses from 400 IT and/or security practitioners:

  • 62 percent of respondents reported they knew of employees using their own private accounts for public-cloud services such as Dropbox, Google Docs, and Evernote in the workplace yet only 26 percent of respondents said this practice was permitted.
  • 55 percent of respondents say the risks posed by BYOC are increasing, and that BYOC affects data security risks overall. What are these risks? According to the study, they include “the loss or theft of intellectual property, compliance violations and regulatory actions and loss of control over end user actions.”
  • 85 percent of respondents say BYOC makes it harder to manage access governance and privileged access to sensitive and confidential data.

The scariest finding is probably this one: “Most respondents say they are not confident or have no confidence that they could stop or prevent data loss in the BYOC environment. The primary reason could be attributed to the lack of BYOC security measures and difficulty in addressing the insider threat to data in the cloud.”

Since most enterprises do not officially support BYOC and since most IT workers recognize that BYOC is risky, why is BYOC allowed to be so prevalent?

According to the survey, employees using BYOC services are more productive. This makes sense, as popular services like Dropbox, Evernote and other file sharing services do address the productivity needs of today’s mobile-first workforce. However, they do so in a risky, unmonitored, and decentralized way that leaves IT and security teams on the sidelines.

To benefit from the productivity of a BYOC-style workforce without incurring the risks of unmonitored cloud usage, enterprise IT teams should step forward and offer their own solutions for file sync and sharing, group editing, and other common collaboration tasks. By offering a secure alternative to BYOC, enterprises can keep data safe while offering employees solutions for increasing productivity.