Data Breaches and the Multiplier Effect of Cloud Services

September 17, 2014 | Leave a Comment

By Eduard Meelhuysen, Managing Director, EMEA, Netskope

NS-Data-Breach-EU-IG-00We have had a number of conversations lately with our customers and partners about cloud security, with a particular focus on data protection in light of a growing number of data breaches. Against a backdrop of the iCloud hack and data breach revelations at major global corporations, the massive growth of cloud services is giving many IT and security professionals pause as they consider the impact that growth will have on data breaches in their organisations.

The cloud introduces new dynamics in enterprise IT, including massive cloud app growth, much of it outside of the purview of IT; mobile access to cloud apps; and cloud-specific capabilities like sharing, which make it easy for content to get out of an enterprise’s control.

Each of these dynamics could be considered a multiplier, or something that increases the probability of a data breach. To take the pulse of the market and quantify this idea, we asked the Ponemon Institute, a foremost expert in data breach research, to conduct a study on the topic. In support of our formal launch of Netskope in the Europe, Middle East, and Africa region, we are releasing “Data Breach: The Cloud Multiplier Effect.”

The report pulls from a survey of 1,059 IT and security practitioners across Austria, Belgium, Denmark, France, Germany, Greece, Ireland, Italy, Netherlands, Poland, Russian Federation, Slovakia, Spain, Sweden, Switzerland and the United Kingdom, and measures not only the multiplier effect that cloud services have on the probability and economic impact of a data breach, but also takes stock of perceptions of cloud vendor enterprise-readiness.

The report reveals several telling findings about the state of cloud security in EMEA, including:

  • The presence of cloud services can increase the probability and economic impact of a data breach involving the loss or theft of customer information by as much as three times.
  • A breach involving the loss or theft of 100,000 customer records would cost an organisation €13.6M, based on previously established cost metrics. Probability-adjusted, the expected economic impact comes to €1.63M. When asked about the increased use of cloud services, respondents projected a new probability that brought that estimate to nearly €5M.
  • 85 percent of respondents don’t believe their cloud provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
  • 77 percent of respondents fear their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of customer data.
  • 57 percent of respondents believe their cloud service providers don’t use enabling security technologies to protect and secure sensitive and confidential information.
  • 72 percent believe their cloud service providers aren’t in full compliance with privacy and data protection regulations and laws.

This may sound like doom and gloom, but there’s actually never been a better time to safely adopt cloud services in your organisation. Based on our and our customers’ experience, here are three ideas for safely enabling cloud services while mitigating the risk and magnitude of data breaches and other security threats.

First, discover what cloud apps are in your environment and find out how enterprise-ready they are. This is a big step toward understanding and mitigating risk of a data breach because you know what you’re dealing with and can triage the most important apps first. These important apps may include: 1. Systems of record or business-critical apps, including your salesforce automation, renewal and billing, and salary and performance tracking systems, to name a few; or 2. Apps that contain sensitive data, such as a big data app that you use to crunch medical clinical trial results, a business intelligence app that has your company’s non-public financial information, or a software development app that contains your source code, roadmap, and quality assurance bug queue. Did you know that, in addition to being apps that contain sensitive data, each of these is an example of an app that enables sharing?

Second, beyond discovering apps and understanding their risk, it’s critical to know how those apps are being used and what data are being uploaded to and reside in them. Answering questions such as “Is anyone uploading personally-identifiable health information to the cloud?,” “Is anybody downloading personally-identifiable information to a mobile device?,” and “Who’s sharing sensitive content outside of my organisation?” will give you a significant leg up on the problem. Once you can answer these types of questions, you can address the risk, whether by having a conversation with users or line-of-business owners, granularly blocking activities like sharing outside of the company, or encrypting certain data when they are uploaded to the cloud.

Finally, get support. We have tremendous resources in organisations like the Cloud Security Alliance. Also, reach out to your vendors such as Netskope and our partners. We have a treasure trove of best practices and advice from customers who have experienced similar challenges.

Data breaches are serious business, and if you believe the respondents in this study, the cloud can have a tremendous multiplying effect on them. However, between understanding your cloud app environment and reaching out for a little help from your friends, you can mitigate the cloud risk multiplier for your organisation and take advantage of all of the productivity benefits that the cloud provides.

Call for Volunteers:  Antibot Working Group Seeks Experts to Help Develop Botnet Essential Practices Guide for Cloud Providers

September 17, 2014 | Leave a Comment

By J.R. Santos, Global Research Director

botnetToday at the CSA Congress 2014, we have announced a call for volunteers to help create the first CSA Botnet Essential Practices Guide for Cloud Providers. Botnets have long been a favored attack mechanism of malicious actors, with server-based bot activity increasing as a means of taking advantage of vastly greater upload bandwidths and higher compute performance.  With cloud computing rapidly becoming the primary option for server-based computing and hosted IT infrastructure, the CSA Anti-Bot Working Group was established in 2013 to help articulate solutions to prevent, respond to and mitigate damage from botnets occurring on cloud infrastructure.

Cloud providers have historically been viewed as one of the sources leveraged for botnet activity that has impacted outside businesses.  Cloud providers can benefit from implementing a standard framework of best practices to protect their infrastructure from potential disruption associated with botnet malware, both in terms of resource usage as well as consumer perception.

The guide, currently underway, includes a series of recommended approaches to minimizing the impact of compromised systems within the cloud infrastructure from affecting co-located customers and external entities.  This guidance will be important in enabling cloud providers to take a comprehensive lifecycle approach to botnet prevention, and avoid being used as an instrument of malice to other organizations or entities.

To volunteer, fill out the following online form: https://cloudsecurityalliance.org/research/anti-bot/basecamp/

After you fill out this form, someone from our Research Team will contact you with next steps.

 

Learning to Love Your Security Audit

September 16, 2014 | Leave a Comment

By Mike Pav, VP of Engineering, Spanning

yoda_largeMost folks treat a security or compliance audit like a visit from the storm troopers: a big uncomfortable disruption to your daily life (if a visit from the Empire can indeed be considered “uncomfortable”). But it does not need to feel that way.

At Spanning, we started out with a “do the right thing” (thanks Spike Lee) mentality built into our DNA, and it has made all the difference in terms of how we view our security audit efforts. While security, privacy, reliability and availability are non-functional requirements, making them a part of your everyday conversations is critical for sailing through audits.

I’ve learned to love our audits for two main reasons:

  1. Since we prepare for them in advance – before we even know they’re coming – we constantly have the opportunity to make our business better.
  2. The audit process will either help us find ways to improve even further or we’ll get a stamp of approval that validates all the hard work we’ve done to be compliant.

You can use your audit process to help you become stronger and operate with less friction, but it takes real effort, practice, and planning. There are some things we started doing right from the start, even before we decided to move down the path of having our software-as-a-service products audited for SSAE16, and I’d recommend them to anyone who gets that pit in their stomach at the thought of an audit. I’ll discuss these steps in-depth at my talk in San Jose, California this Friday at the IAPP Privacy Academy and CSA Congress. If you’re planning to attend the event, be sure and come by the Little Big Stage on Friday at 11:30 am and listen to my  “How I Learned to Love My Audit: Lessons in SaaS Data Protection” presentation to learn the processes necessary to “audit-proof” your business; maybe the next time the storm troopers show up, you’ll feel like Yoda.

If you’re not yet registered, there is still time to receive discounted registration pricing. Save $200 off non-member pricing by using Promo Code: 20CSA14. And, be sure to stop by the Spanning booth (#201) and see our audit-friendly cloud-to-cloud backup solution for Google Apps and Salesforce.

Gartner Predicts Rise of the Digital Risk Officer

September 15, 2014 | Leave a Comment

By Michael Piramoon, Director of Analyst Relations, Accellion

Accellion-Blog-DRO-FINALThe number of devices connected to enterprise networks is skyrocketing. One reason is mobile computing. Mobile workers in the US now carry on average 3 mobile devices, according to a recent survey by Sophos. Fifteen years ago, each of those workers would have connected to the network through a single desktop computer. The number of devices storing business data and connected to the network per employee has tripled (or quadrupled for those employees who still have desktop computers in addition to their mobile devices). And unlike the devices of a decade or more ago, many of these devices have been selected and configured by employees themselves, regardless of whether or not the organization has officially adopted a Bring Your Own Device (BYOD) policy.

Another reason for the increase in devices is the ongoing rapid adoption of special-purpose networked devices, a trend that Gartner and others now refer to as the Internet of Things (IoT). Gartner defines the IoT as “the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” Examples include surveillance cameras, environmental monitoring systems, and factory automation systems. Gartner says that there were 0.9 billion of these devices in 2009, but by 2020 there will be 26 billion—a 30-fold increase.

All those devices and connections create risk for data confidentiality and integrity, which is why Gartner is now predicting the rise of a new executive role, the Digital Risk Officer. According to Gartner:

More than half of CEOs will have a senior “digital” leader role in their staff by the end of 2015, according to the 2014 CEO and Senior Executive Survey by Gartner, Inc. Gartner said that by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent.

By 2020, 60 percent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases. IT, operational technology (OT), the Internet of Things (IoT) and physical security technologies will have interdependencies that require a risk-based approach to governance and management. Digital risk management is the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies requiring protection. . . .

The advent of the Digital Risk Officer is another sign of just how vast are the changes taking in place in enterprise IT. Connected corporations are becoming hyperconnected as the number of devices multiplies. Services are moving to the cloud, and access is moving from cubicle-tethered desktops to smartphones and tablets. Networks, many now running at speeds of 10G or faster, are supporting more devices and more types of data than ever before.

As Gartner points out, when access is everywhere, risk is everywhere. BYOD and the IoT can make enterprises more agile and productive, but they also introduce new vulnerabilities and security hazards. The next data breach could come from a smartphone, tablet, or networked sensor (many of which were designed without security in mind).

But risk management isn’t the only challenge facing enterprise management teams grappling with the implications of their hyperconnected infrastructures. Keeping security in mind, they should look for ways to re-engineer services and processes to take full advantage of the connectivity and agility enabled by BYOD and IoT. The goal should be to create not only IT services that are more extensive and secure, but also a workforce that is more productive and enthusiastic.

 

 

The Lesson from Shadow IT? Workers Want Easy-to-Use Services for Getting Work Done

September 9, 2014 | Leave a Comment

By Hormazd Romer, Senior Director of Product Marketing, Accellion

Accellion-Blog-Shadow-IT-FINALThe phrase “Shadow IT” refers to products and services used by employees without the knowledge or approval of the IT department.

Shadow IT is everywhere: it can be found in just about any department of any organization. When Frost & Sullivan surveyed line of business (LOB) and IT managers, they found that 80% of respondents admitted using non-approved SaaS applications for their work. Moreover, the survey found:

Non-approved applications represent a sizable proportion of all SaaS apps used in a company. According to respondents, the average company utilizes around 20 SaaS applications; of these, more than 7 are non-approved. That means you can expect that upwards of 35 percent of all SaaS apps in your company are purchased and used without oversight.

Popular categories of shadow IT applications include business productivity, social media, file sharing, storage, and backup, according to the survey.

Why are employees using shadow IT? Frost & Sullivan found that these employees just want to get their jobs done. Many shadow IT users felt that the applications they selected met their needs better than those selected by the IT department. In some cases, the employees were already familiar with the applications they selected, and they felt further swayed when the applications were free. In many organizations, there was confusion about who had the authority to select an application: was it the department or IT? Lacking clear guidance from management, employees decided to act for themselves.

If this ad hoc provisioning seems to be meeting employees’ needs, why not just let it continue? Unfortunately, enterprises must stop shadow IT, because it creates enormous security risks and can lead to data breaches and regulatory fines.

How can an enterprise—especially an enterprise in a highly regulated industry such as financial services or healthcare—possibly keep track of all its confidential files if employees are posting files to an ad hoc collection of unmonitored public-cloud file sharing services? How can the finance department of any public company claim it is complying with Sarbanes-Oxley requirements for managing the distribution of financial data, if it has no idea how its files are being distributed?

Files leaked through shadow IT can make the shadow itself especially long, dark, and gloomy, once data breaches are publicized and regulatory penalties accrue.

Enterprises need to take action.

First, they should establish clear policies about who can select which type of application. If IT is in charge, this should be made clear. If departments have leeway to select certain types of applications, that, too, should be made clear. Next, enterprises should educate employees about the risks of public-cloud services that might leak files or admit malware to the network.

Finally, enterprises should select and provision SaaS services that are as powerful and easy-to-use as those being used in shadow IT. Employees are turning to applications to get their work done. Enterprises would be wise to select applications and services that let their employees do just that.

 

Cloud Security Alliance Congress 2014 – What’s in it for YOU?

September 9, 2014 | Leave a Comment

Many people ask me, why should I attend the CSA Congress 2014 conference over others that seem to monopolize the month of September?  This is of course a question asked by those who have never attended a CSA Congress before.

Those who attended last year’s event made a point of sharing with me, and others on the leadership team, what made the event worth the trip to sunny Orlando (the home of Congress until this year).  I feel fortunate that these individuals took the time to speak with me about their experience and I can pass that along to you.  They expressed first and foremost that we really made a great effort to bring together an incredible line up of experts that delivered significant, meaningful content to their business or role – many found it difficult to decide which session to attend!  They cited that the sessions were excellent in providing practical, real-world knowledge that they could take home and readily apply to their own environment. Our Congress event also provided many individuals with an outstanding opportunity to make new connections and business relationships as well.

Well, we could only top that by adding a new dimension to our Congress event and that would be to team up with an organization whose focus is top of mind when it comes to the implementation of cloud technology – privacy and data protection.

This year we have teamed up with the International Association of Privacy Professionals (IAPP), to offer more than 80 sessions covering all aspects of privacy and cloud security.  Nowhere else will cloud, IT and privacy professionals be able to meet and learn from each other, and gain visibility to practical, implementable solutions delivered by leading industry experts.  This year’s event will also feature educational sessions on the latest security practices by leading subject matter experts from the world’s most prominent cloud providers including Google, Amazon AWS, Salesforce.com and Microsoft.

A roll call of preeminent industry thinkers will keynote the event including:

  • Judith Donath, Harvard Berkman Faculty Fellow and Author of The Social Machine: Designs for Living Online
  • Taher Elgamal, Chief Technology Officer, Security of Salesforce.com
  • Billy Hawkes, Data Protection Commissioner of Ireland
  • Bruce Schneier, Security Technologist; Fellow, Berkman Center, Harvard Law School; and CTO, Co3 Systems
  • Paul Milkman, Senior Vice President, Technology Risk Management and Security, TD Bank

If you haven’t done so already, check out our agenda and speaker line up at https://cloudsecurityalliance.org/events/csa-congress-2014/

There is a reason why Cloud Security Alliance Congresses continue to be the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security.

I would like to invite you to join us at this year’s event and experience the benefits of the event for yourself. I certainly hope that you will seek me out to share your opinion on the experience, and that it goes beyond your expectations.

There is still time to receive discounted registration pricing. Save $200 off nonmember pricing, use Promo Code: 20csa14

We hope you will join us.

Sincerely,

Jim Reavis, CEO, Cloud Security Alliance

 

Dyre need to secure what matters

September 8, 2014 | Leave a Comment

By Rajneesh Chopra, VP of Product Management, Netskope

Netskope_vulnerability_blogWith the iCloud hack in the backdrop raising issues around authentication, another problem has come to the fore – this one affecting Salesforce and going by the name Dyre (alternatively Dyreza). More details are available here – http://goo.gl/s8BSdY.

The first signals of Dyre being circulated on the Internet were seen by researchers back in June 2014. The vector for spreading this malware has been a phishing email in which the user was lured to click on a link to ostensibly download a file – typically an .exe or a .scr file that is zipped. Once installed, the malware applies a browser hooking technique to intercept traffic before it is encrypted, thereby enabling it to redirect that traffic to a different website than the user intends.

Hackers have set up web pages that look just like that of the intended website and are able to harvest users’ login credentials when they provide them. Since all traffic over an extended period of time is sent to the page put up by the hacker, even information from two-factor auth tokens is available to these malicious actors to use to access targeted cloud apps in real-time. The known variants of the attacks still seem to be bit basic and will most likely be refined further in the future.

Our research team has been monitoring for potential infections related to this malware; none of our customers has yet been affected. What we have seen is growing activity related to getting access to cloud apps through vulnerabilities. This is entirely unsurprising; attackers will go where valuables reside. Since enterprises are increasingly using the cloud for variety of reasons – some officially sanctioned by corporate IT and many others not so much – this can put important business data at risk.

With a huge number of devices accessing a growing number of cloud resourced apps from locations no longer within a tightly managed environment, the need for constant monitoring and thoughtful control of these apps is must-have for the enterprise today. Although the observed phishing emails contained links to files in LogMeIn’s Cubby.com file storage service, there is nothing special about Cubby.com; this could have been any of the thousands of  apps that provide file sharing; there are nearly 200 cloud storage apps that we track in the Netskope Cloud Confidence Index™, but one out of five apps across nearly every category we track enables some type of sharing.

It is worth noting that this is not per se a vulnerability in Salesforce nor a flaw in the 2-factor authentication that Salesforce rightly encourages its customers to follow. It’s more about enterprises being responsible for their own users and their own data even when using a cloud app – what CSA calls out as a shared responsibility model. Even encrypting the content stored in app would not protect the data since the authenticated user would have access to the unencrypted data as per policy.

By monitoring all cloud apps that store content – not just a handful of sanctioned ones – and tracking what activities are performed, would an enterprise get a true picture of usage and risk and then looking for anomalous activity? The answer is yes. For example, on a run rate basis, a few users may have been using Cubby.com from a couple of geolocations, but if you suddenly started seeing an increasing number of downloads of zipped files containing .exe and .scr files from this app, that would be considered anomalous behavior and spur you to take immediate action.

The context of who accessed an app from which device and location at what time with what credentials would not only be useful in identifying the infection, but also pinpoint where the remediation needs to be targeted. In addition, you can extend Salesforce’s guidance to customer admins and restrict access from only IP address that are a trusted source for all of your apps that provide content sharing. This would thwart any access attackers may attempt on Salesforce, or any other app, from their own servers.

To determine the current risk and how to best eliminate it in order to safely enable the productive use of cloud apps in your enterprise, contact us for a complimentary cloud risk assessment.

In-house Counsel Should Take BYOD Risks Seriously

September 3, 2014 | Leave a Comment

By Nina Seth, Senior Product Marketing Manager, Accellion

Accellion-Blog-In-House-Counsel-BYOD-FINALIn many organizations, decisions about mobile technology are made primarily or exclusively by the IT and IT security departments working together.

All too often, there’s one department that’s left out of these discussions:  the organization’s own legal team, and In-house Counsel. This omission is unfortunate. Legal counsel is familiar with laws, including the latest rulings about electronic discovery and data privacy, and others issues pertaining to liability and risks. Enterprises would be wise to consult in-house counsel when establishing employee policies about data confidentiality, BYOD, and use of mobile devices. There’s another reason, too, for consulting in-house counsel when mobile security policies are being formulated. In the unfortunate case that mobile technology leads to a data breach or regulatory violation, in-house counsel will likely end up spearheading the response. If the company’s legal team has the opportunity to offer guidance before a possible breach or violation occurs, then the opportunity for legal surprises is minimized.

In a series of articles for InsideCounsel Magazine (here and here), attorney and legal security expert Matt Nelson explains why inside counsel should be involved in mobile security decisions from the start. He makes the following points about legal issues and a mobile workforce:

  • Whether a company adopts a BYOD policy and allows employees to use personal devices for work or rejects BYOD requests and issues all employees company-sanctioned mobile devices, the legal liability is roughly the same. Employees are going to mix personal data and business data on their mobile devices regardless. Enterprise IT organizations should plan accordingly and deploy security solutions that protect business data, regardless of who owns the device.
  • Data stored on mobile devices may be discoverable (that is, required by a court to be presented as evidence by a specific deadline). The IT organization may need to have technology for tracking and retrieving material information stored on mobile devices, including devices owned by employees. Nelson cites a recent case from Illinois: For example, in In re Pradaxa Product Liability Litigation, the Southern District of Illinois recently fined defendants $931,000 to encourage them “to respect this court and comply with its orders.” Central to the order was defendants’ failure to preserve text messages on employees’ mobile phones.
  • Data on mobile devices is at risk. Mobile malware is proliferating, and lost devices usually compromised. Nelson describes an experiment in which Symantec left 50 mobile phones in public locations in 5 different cities to see how the phones would fare when discovered by strangers. In 96% of the cases, people who found phones tried to access their data. Only half of the people who found the phones attempted to return them. The experiment demonstrated that enterprises cannot assume that lost devices will be returned or left untampered with. On the contrary, a lost device is likely going to result in a data breach, even if it’s only a minor one.

Nelson’s advice for enterprises? IT teams should bring their In-house Counsel and legal teams to the table when defining security policies. Also any mobile security solutions should provide IT administrators and legal counsel with the ability to monitor, track, and retrieve data on mobile devices. In addition, mobile security solutions should guard against mobile malware and protect data on devices that are lost or stolen.

In my judgment, Nelson makes a solid case.