Cloud Security Roadmap for 2019 & Beyond

By Amélie Darchicourt, Product Marketing Manager, ExtraHop

How to succeed under the shared responsibility model

Cloud security is an evolving space where consumers and vendors must innovate quickly, not only to outpace attackers, but also to support rapid development while minimizing the risks presented by misconfiguration and other forms of user error. Your best bet is to stay closely attuned to industry learnings and best practices compiled by trusted thought leaders.

Recently the global market intelligence firm, IDC, released a new workbook. In this new IDC Workbook, you’ll find a Cloud Security Roadmap that covers the limitations and best practices of the Shared Responsibility Model in cloud security, as well as a checklist to help you understand your technology needs and evaluate potential cloud security vendors.

You can access a copy here.

It’s Time for Security Leadership to Embrace the Cloud-First Future

By Arif Kareem, CEO and President at ExtraHop Networks

On the campus at Stanford Business School is a plaque engraved with a quote from Phil Knight, graduate of the business school and co-founder of Nike. I’ve visited the campus many times, and each time the words stop me in my tracks.

“There comes a time in every life when the past recedes and the future opens. It’s that moment when you turn to face the unknown. Some will turn back to what they already know. Some will walk straight ahead into uncertainty. I can’t tell you which one is right. But I can tell you which one is more fun.”

Right now is such a moment for enterprise security.

Systemic challenges plague modern security operations teams. Lack of cohesive visibility across the attack surface, tool sprawl, siloed data, and rapid-fire alerts make it difficult to prioritize the most critical assets and identify the most dangerous threats.

At the same time, the attack surface itself is rapidly evolving. The business-level mandate to move more and more workloads to cloud changes the parameters of the attack surface, disrupting old workflows and blowing past traditional perimeters.

As many enterprises are learning the hard way, applying old approaches and tool sets – ones that are already struggling to secure existing on-premises deployments – sets SecOps teams up to fail.

The traditional on-premises model uses a perimeter-based approach to security, focusing on keeping the bad actors out as opposed to detecting what’s happening within. But as many enterprise security teams have learned the hard way, this model is ill-suited to the threat landscape in the cloud and across the hybrid attack surface.

Threats are not just malicious actors that make their way in. They are inside actors. They are misconfigured services. They are shadow workloads containing sensitive enterprise data. In the world of cloud, the perimeter is obsolete.

The reality of cloud requires an inside out approach to security. And just as the cloud provides a greenfield opportunity for DevOps and IT Ops teams to scale and grow, it also represents a new beginning for SecOps. Rather than retrofitting old tooling and architectures for the cloud, SecOps teams should embrace the opportunity to build a cloud-first security strategy, one that can be used not only for cloud deployments, but to improve security across the entire hybrid attack surface.

Twenty years ago, the rise of the internet upended the world of business. It took down Fortune 500 companies and catapulted start-ups to multi-billion dollar valuations. The businesses that grew, survived, and thrived in that new reality walked straight ahead into the unknown. They embraced the future. Those that turned back… well, that’s a different story.

Cloud upends the traditional enterprise security model. Organizations that embrace the scale, efficiency, and growth it enables must also take a cloud-first approach to security. The past is receding. The future is calling. Will you answer?

4 Reasons Why IT Supervision is a Must in Content Collaboration

By István Molnár, Compliance Specialist, Tresorit

For many organizations, workflow supervision is one of the biggest challenges to solve. Ideally users should be properly managed and monitored but sadly, countless organizations suffer from a lack of IT supervision. As a result, there is no telling what users are capable of doing. One of the main fields where a lack of IT supervision can become a major issue is content collaboration.

Content collaboration is the process of securely sharing, synchronizing and storing content files in a structured and transparent manner. It is one of the most frequently applied methods of user interaction and the default portal for exchanging business-critical information both internally and externally. This makes it an area where serious IT involvement is needed to ensure data security, user efficiency and business continuity.

What are the main causes and how to solve unsupervised content collaboration?

In a number of instances, IT departments are completely out of the loop when it comes to managing and monitoring internal and third-party content collaboration. This boils down to having no transparency and traceability in regard to user and file related activities. By isolating the main causes creating an unsupervised infrastructure, we can also identify how to solve them.

 1) Not knowing what rights users have

Although IT departments have some form of user directory in place, like an Active Directory or LDAP, they still struggle when it comes to individual file associated rights. That is because all these tools do is decide whether the user falls under the category in order to access a collaboration platform or not. Even though a user is authorized to collaborate, that doesn’t mean they should have full access and editorial rights over all given files.

Without properly managing user rights, organizations can’t guarantee data confidentiality as users may accidentally or intentionally cause harm by managing files that should be limited or inaccessible to them. In addition to internal users, third-party management should receive the same level of attention; it is crucial to identify who should access files from outside of the organization’s secure perimeter, as well as for what purpose.

What is the solution?

Implementing functions such as access rights management is essential in supervising internal users and externally collaborating parties. Supervising the entirety of the user lifecycle from the point they join the organization till their last day as an employee allows total control over their rights and level of privileges. By identifying and providing the necessary minimum amount of rights to users, organizations can enforce the least privileges principle. This helps mitigate the probability of unauthorized access and disclosure of business-critical information. It is possible to support both the top-down and bottom-up attribution of rights by isolating larger group-based rights yet also allowing flexibility to individual users with custom rights attribution when needed.

2) Not having a clear inventory on files

User and group management is one thing, but data itself is also a vital segment in an organization’s life. Not knowing what files are actually being produced and where are they stored is a common symptom of a decentralized infrastructure. It occurs most commonly when each department operates in silos and stores files on separate standalone systems and devices instead of in one central repository. The drawback of this is that IT simply cannot keep visibility over the most crucial information produced and managed it within the organization. As a result, there is no telling what files already exist, if there is any work flow conflict and simply who has access to what and to what degree.

What is the solution?

Establishing a central file repository completely owned and managed by IT. Users may assume ownership over the folders and files stored within, but overall management should fall in the hands of IT professionals. This allows organizations to enforce company wide policies on data storage location and prohibit any attempts to store data outside the collaboration platform.

3) Not knowing what tools are used for collaboration

Many times, employees take an alternative route and start using consumer-grade tools for business collaboration. The reason behind this is mainly that the in-place Content Collaboration Platform turned out to be way too cumbersome to use, making every-day work almost impossible due to excessive security precautions.

What is the solution?

To solve the issue, a balance must be struck between efficiency and security. If the organization solely focuses on one aspect it will severely hinder the other. Lack of security may make it more convenient for users but also creates a number of potential attack surfaces. This goes for the other way around as well. Too much security might be appealing from an administrative perspective, but it also can easily make any form of collaboration almost impossible for users.

4) Not being able to log events and activities

Not possessing reliable evidence on user and file related activities can cause serious ramifications during forensic investigations and compliance audits. During a data breach, every second can count. As a first step once a breach is identified, the security team will try to accumulate as much evidence as possible to identify: What data and which users are affected? What or who could have caused the breach? What is the magnitude and scale of the breach? If the security team lacks the tools to pinpoint these factors, then it is a guarantee that similar breaches will soon follow leaving the organization in a desperate financial and reputational situation.

Failing a compliance audit can also result in the same ramifications. One of the first things required during an audit is clear documentation on every user and activity. If the organization is incapable of producing reliable information on its infrastructure and all events occurring in it then the audit will surely fail.

What is the solution?

The solution lies in reporting capabilities. The more customizable and detailed they are, the better. In terms of content collaboration having clear reports on who accessed, shared or deleted files is the most important question to answer.

In conclusion

All-in-all, content collaboration is a vital part of an organization’s life and requires serious monitoring and control effort to ensure data confidentiality, user efficiency and business continuity.

New and Unique Security Challenges in Native Cloud, Hybrid and Multi-cloud Environments

By Hillary Baron, Research Analyst, Cloud Security Alliance

cloud security complexity

CSA’s latest survey, Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments, examines information security concerns in a complex cloud environment.

Commissioned by AlgoSec, the survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security in current hybrid cloud and multi-cloud security environments, including public cloud, private cloud, or use of more than one public cloud platform.

Topics covered in the report include:

  • Types of cloud platforms currently in use
  • Proportion of workloads actively in the cloud
  • New workloads expected to be moved into the cloud
  • Anticipated risks and concerns about potential migrations to the cloud
  • Challenges managing security after adopting cloud technologies
  • Methods for addressing these security challenges
  • Challenges related to network or application outages
  • Methods for and results of addressing outages and security incidents

Key findings in cloud computing complexity

The survey illustrates the need within our industry to better address these issues before adopting cloud technologies in order to create practical and manageable network environments–rather than simply putting out fires as they arise after deploying new technologies. It also highlights the need to maintain cloud service-specific knowledge during the growth of the service with the aim of staying current with new features and functionality.

Specifically, the survey found that:

  • Cloud creates configuration and visibility problems:  When asked to rank on a scale of 1 to 4 those aspects of managing security in public clouds they found challenging, respondents cited proactively detecting misconfigurations and security risks as the biggest challenge (3.35), closely followed by a lack of visibility into the entire cloud estate (3.21). Audit preparation and compliance (3.16), holistic management of cloud and on-prem environments (3.1), and managing multiple clouds (3.09) rounded out the top five.
  • Human error and configuration mistakes are the biggest causes of outages: Eleven percent (11.4%) of respondents reported a cloud security incident in the past year, and 42.5 percent had a network or application outage.  The two leading causes were operational / human errors in management of devices (20%), device configuration changes (15%) and device faults (12%).
  • Cloud compliance and legal concerns are serious worries: Compliance and legal challenges were identified as major concerns when moving into the cloud (57% regulatory compliance; 44% legal concerns).
  • Security is the major concern in cloud projects: Eighty-one percent of cloud users said they encountered significant security concerns. Concerns over risks of data losses and leakage were also high with users when deploying in the cloud (cited by 62%), closely followed by regulatory compliance concerns (57%), and integration with the rest of the organizations’ IT environment (49%).

As cloud environments become more complex, we can expect to see the trends identified in this survey continue. Unsurprising then that it will be more important than ever for IT professionals to have visibility into available resources, understand cloud provider security tools, create personalized plans for securing their organization, and evaluate staff knowledge to ensure security of these complex cloud environments.

Download the full report to learn more about Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments.

Editor’s Note: Sponsors of CSA research are CSA Corporate Members, who support the findings of the research project but have no added influence on content development nor editing rights. The report and its findings are vendor-agnostic and allow for global participation.

Survey Says: Almost Half of Cloud Workloads Not Controlled by Privileged Access

By Nate Yocom, Chief Technology Officer, Centrify

For the past few years, Centrify has been using a statistic from Forrester to demonstrate the importance of protecting privileged accounts, which estimates that 80 percent of data breaches involve privileged credentials. This first showed up in The Forrester Wave: Privileged Identity Management report in Q3 2016, and was used again in the same report in Q4 2018.

Recently I was thrilled to see the results of a survey we conducted with FINN Partners, polling 1,000 IT decision makers (500 U.S./500 U.K.) about their awareness of the privileged credential threats they’re facing, their understanding of the Privileged Access Management (PAM) market, and how Zero Trust can help reduce their risk of becoming the next data breach headline.

The headline stat from the survey:

This fact now confirms what we already know: The majority of cyber-attacks abuse privileged credentials, making it the leading attack vector.

Furthermore, it’s pretty close to the Forrester estimate, and lends credibility to why Gartner named PAM a Top 10 Security Project in 2018, and again in 2019.

Still not prioritizing PAM

What’s concerning about the survey, however, is that despite knowing privileged credential abuse is involved in the majority of breaches, most organizations and IT leaders are not prioritizing PAM or implementing it effectively. What’s worse, they continue to grant too much trust and too much privilege.

We’ve said or written it a thousand times: attackers no longer “hack” in, they log in using weak credentials and then fan out, seeking privileged access to critical infrastructure and sensitive data.

There are some very basic PAM capabilities and best practices that are still not being implemented, namely:

  • 52 percent of respondents do not have a password vault! This is PAM 101, and one of the very first steps of the PAM maturity model. Over half aren’t even vaulting privileged passwords, which means they’re probably written down on shared spreadsheets.
  • 63 percent indicate their companies usually take more than one day to shut off privileged access for employees who leave the company.
  • 65 percent are still sharing root or privileged access to systems and data at least somewhat often, including to cloud infrastructure and workloads.

The modern threatscape – including cloud workloads – is not secure

If organizations are still struggling to implement some of the most basic or required PAM strategies, then it’s not surprising that the survey revealed most are also not securing modern attack surfaces, most notably cloud workloads.

While it’s encouraging to see that 63 percent of US respondents are controlling privileged access to cloud workloads, there’s a pretty big gap between them and the 47 percent of UK counterparts who are doing the same. Furthermore, that averages out to 55 percent of all respondents … which means that almost half are NOT leveraging PAM solutions to manage privileged access to cloud workloads.

This is a big focus area for Centrify right now. One area we know is a major pain point is directory services. Cloud services like AWS and Azure require the creation of a unique user directory, making a huge mess to create, manage, update, and revoke privilege when needed.

One solution is to provide multi-directory brokering, enabling an organization to leverage whatever user directory it’s already using to broker access to cloud infrastructure, services, and workloads. So, for example, if an organization is using Active Directory (AD) to control authentication, they would be able to leverage the existing directory to manage and broker privileged access to AWS or Azure.

That’s a perfect example of a modern attack surface that needs privilege management, but doesn’t have the native capabilities to provide it simply and effectively. Legacy PAM solutions simply cannot secure modern attack surfaces.

Organizations need to quickly move to Zero Trust Privilege backed by cloud-ready services that minimize the attack surface, improve audit and compliance visibility, and reduce risk, complexity and costs for the modern, hybrid enterprise.

Download the survey report now.

Nate Yocom is Chief Technology Officer at Centrify and a member of CSA’s Hybrid Cloud Security Services Working Group.

The Many Benefits of a Cloud Access Security Broker

By Will Houcheime, Product Marketing Manager, Bitglass

server hallway leading to blue sky with clouds

Today, organizations are finding that storing and processing their data in the cloud brings countless benefits. However, without the right tools (such as cloud access security brokers (CASBs), they can put themselves at risk. Organizations’ IT departments understand how vital cybersecurity is, but must be equipped with modern tools in order to secure their data. CASBs protect against a wide range of security concerns that enterprises face when migrating to the cloud. Consequently, they have quickly increased in popularity and have become a one-stop-shop for countless enterprise security needs.   

BYOD, SaaS or IaaS

Depending on the industry in which an organization operates, it may need to focus on security for managed devices, or perhaps it might need more of a bring your own device (BYOD) solution. While major SaaS applications improve organizational productivity and flexibility, they can serve as entry points for malicious threats such as malware or be used to share sensitive data with unauthorized parties. In infrastructure-as-a-service platforms, even a simple misconfiguration can cause data leakage and jeopardize an organization’s wellbeing. Without a solution designed to address these modern security concerns, organizations can fall victim to these and other threats.

In recent years, cloud access security brokers have been used to prevent these types of unfortunate scenarios from happening to organizations. Whether it’s securing data on personal devices, limiting external sharing, stopping cloud malware, or other security needs, CASBs have been stepping in and protecting data whether it is in transit or at rest. In our latest white paper, Top CASB Use Cases, we go into detail about how organizations have used cloud access security brokers to embrace both the cloud and BYOD without compromising on security.

For information about how CASBs help secure data, download the Top CASB Use Cases.

34 Cloud Security Terms You Should Know

By Dylan Press, Director of Marketing, Avanan

Cloud Security 101 written on a chalkboardWe hope you use this as a reference not only for yourself but for your team and in training your organization. Print this out and pin it outside your cubicle.

How can you properly research a cloud security solution if you don’t understand what you are reading? We have always believed cloud security should be simple, which is why we created Avanan. In an attempt to simplify it even more we have created a glossary of 34 commonly misunderstood cloud security terms and what they mean.

Account Takeover

A type of cyber attack in which the hacker spends extended periods of time dormant in a compromised account, spreading silently within the organization through internal messages until they have access to information that is valuable to them. They may use the account to attack other organizations.

Related: Read our whitepaper Cloud Account Takeover

Advanced Persistent Threat (APT)

This an attack in which an the attacker gains access to an account or network and remains undetected after the initial breach. The “advanced” describes the initial breach technique (phishing or malware) that was able to evade the victim’s security. The attack is “persistent” because the attacker continues to carry out the attack through reconnaissance and internal spread long after the initial breach.

Advanced Threat Protection (Microsoft ATP)

Microsoft offers its Advanced Threat Protection for an additional $24 per user per year. It includes capabilities not available in the default Office 365/Outlook.com account:

  • Safe Links: replaces each URL, checking the site before redirecting the users.
  • Safe Attachments: scanning attachments for malware
  • Spoof Intelligence: analyzes external emails that match your domain.
  • Anti-phishing Filters: looks for signs of incoming phishing attacks.

Anomaly

A type of behavior or action that seems abnormal when observed in the context of an organization and a user’s historical activity. It is typically analyzed using some sort of machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior and email message patterns. Anomalies are often a sign that an account is compromised.

API Attack

An API (Application Programming Interface) allows two cloud applications to talk to one other directly, allowing a third party to read or make changes directly within a cloud application. Creating an API connection requires a user’s approval, but once created, runs silently in the background, often with little or no monitoring. An API-based attack typically involves fooling the user into approving an API connection with a phishing attack. Once granted the API token, the attacker has almost complete access and control, even if the user changes the account password. To break the connection, the user must manually revoke the API token.

Behavioral Analysis

A security measure in which a file’s behavior is monitored and analyzed in an isolated environment in order to see if it contains hidden malicious functions or is communicating with an unknown third-party.

Brand Impersonation

A method of phishing attack in which the perpetrator spoofs the branding of a well-known company to fool the recipient into entering credentials, sharing confidential information, transferring money or clicking on a malicious link. An example might be a forged email that looks like it is from a social media company asking to verify a password.

Breach Response

A form of security that remedies the damage caused by a breach. For example, changing passwords, revoking API tokens, resetting permissions for shared documents, enabling multi-factor-authentication, restoring lost or edited documents, documenting and classifying leaked information, identifying potential pathways to collateral compromise.

CASB

An acronym for Cloud Access Security Broker. This is a type of security that monitors and controls the cloud applications that an organization’s employees might use. Typically, the control is enforced by routing web traffic through a forward- or reverse-proxy. CASBs are good for managing Shadow IT and limiting employee’s use of certain SaaS or the activity within those SaaS but do not monitor third-party activity in the cloud–i.e. shared documents or email.

Related: Can a CASB Protect You from Phishing or Ransomware?

Cloud Access Trojan

Also known as a CAT, a Cloud Access Trojan describes any method of accessing a cloud account without the use of a username and password, for example, a malicious user syncing a desktop app, forwarding all email to an external account, connecting a malicious script or simply authorizing a backup service for which they have full access. In each case, the attacker needs only momentary access, often gained through a phishing attack.

Related: Cloud Access Trojan: The Invisible Back Door to Your Enterprise Cloud

Cloud Messaging Apps

Cloud-based communication services that include email but are used by companies for internal communication but also might include trusted partners. Often employees imbue more trust in these apps even though they are just as capable of distributing malware or phishing messages.

Cloudify

Taking a software that was created for on-premise or datacenter usage, wrapping it with an API container and converting it to a cloud service. For example, taking the malware analysis blade from a perimeter appliance and adapting it so that it can be configured and scaled without the need for direct management. This also includes the automation of software licensing and version control.

Compromised Account

An account which has been accessed and is possibly controlled by an outside party for malicious reasons. This can be done either via API connection or by gaining credentials to the account from a leak or phishing email. Typically, the goal of the attacker is to remain undetected, in order to use it as a base for further attacks.

Related: Account Takeover: A Critical Layer Of Your Email Security

Data Classification

A security and compliance measure in which all of an organization’s documents are scanned and categorized based on their sensitivity and then are automatically encrypted or adjusted to the correct sharing level permissions. For example documents containing customer information or employee social security numbers would be classified as highly sensitive and encrypted where as an external facing white paper would be classified as non-sensitive and likely not encrypted.

DLP (Data Leak Prevention or Data Loss Prevention)

A type of security that prevents sensitive data, usually files, from being shared outside the organization or to unauthorized individuals within the organization. This is done usually through policies that encrypt data or control sharing settings.

DRM

Digital Rights Management: a set of access control technologies for restricting the use of confidential information, proprietary hardware and copyrighted works, typically using encryption and key management. (Also see IRM)

Gateway

A gateway is any device or  is another word for an MTA, please see the definition for MTA.

IRM

Information Rights Management is a subset of Digital Rights Management that protects corporate information from being viewed or edited by unwanted parties typically using encryption and permission management. (also see DRM)

Latency

The added time it takes for an email to be delivered to its intended recipient. Security measures sometimes add latency as they perform scans on the email prior to allowing the email to reach the user’s inbox.

Malconfiguration

A deliberate configuration change within a system by a malicious actor, typically to create back-door access or exfiltrate information. While the original change in configuration might involve a compromised account or other vulnerability, a malconfiguration has the benefit of offering long term access using legitimate tools, without further need of a password or after a vulnerability is closed.

Misconfiguration

A dangerous or unapproved configuration of an account that could potentially lead to a compromise typically done by a well-intentioned user attempting to solve an immediate business problem. While there is no malicious intent, misconfiguration is actually the leading cause of data loss or compromise.

MTA

An acronym for Message Transfer Agent. An MTA is an appliance or service that acts as the authorized server-of-record for electronic messages, eventually passing them on to the final mail server.

Related: 7 Reasons Not to Use an MTA Gateway

Phishing

A type of attack in which a message (often email, but could be any messaging system) is sent from a malicious party disguised as a trusted source with the intention of fooling the recipient into giving up credentials, money, or confidential data. It often includes a malicious link or file, but could be a simple as a single sentence that causes some sort of insecure response. (Also see Spearphishing.)

Proxy

A proxy can include any gateway, service or appliance that causes a rerouting of traffic through an appliance or cloud service. For example, a web proxy or CASB will redirect a user’s web browsing in order to decrypt the traffic and block particular applications or data. Mail proxy gateways (see MTA) reroute incoming email in order to scan and block spam, phishing or other malicious email. A proxy is limited in its visibility as it cannot monitor or control traffic it cannot see, i.e. remote and non-employee web usage or internal email traffic.

Quarantine

The act of encrypting, moving or changing the share permissions of a file so that it is unreachable by a user until it can be deemed safe or authorized by the intended recipient.

Ransomware

A type of malware that encrypts the files on an endpoint device using a mechanism for which only the attacker has the keys. While the attacker will offer the key in exchange for payment, fewer than half of victims that do pay actually recover their files.

Sandboxing

A type of security measure that involves testing a file or link in a controlled environment to see what effect it has on the emulated operating system, typically the first line of defense against zero-day attacks for which there is no signature or pre-knowledge of the code.

Shadow IT

Any unapproved cloud-based account or solution implemented by an employee for business use. It might also include the use of an unknown account with an approved provider, but administered by the user rather than corporate IT.

Shadow SaaS

An unapproved cloud application that is connected in some way (typically by API) to that organization’s SaaS or IaaS with access to corporate data but without permission from the organization.

Spearphishing

A type of phishing attack that is designed to target a small number of users, sometimes only one user such as a CEO. Spear-phishing attacks usually involve intensive research by the hacker to increase the chances that the intended target will fall for it.

Tokens

A unique authorization key used for API interactions. Each token is granted a certain level of access and control and often continues to provide access until the token is manually revoked.

URL Analysis

A security measure that reviews a link to assess if it is genuine and will direct to a safe and expected destination with no unintended side effects.

URL Impersonation

A technique used in phishing attacks in which the hacker creates a URL that looks like a link to a trusted website to the untrained eye. These techniques can be thwarted using URL analysis.

User Impersonation

A technique used in phishing attacks in which the hacker makes their email look like it is coming from a trusted sender, either a corporation or another employee. This can be done by editing their nickname or using an email address that looks like it is from a trusted organization.

We will be continuing to add to this list and if you have any suggestions for terms to include please reach out to [email protected].