May 1, 2015 | Leave a Comment
By Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream
An integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.
One of my favorite Dilbert cartoons shows Mordac, the “Preventer of Information Service,” saying, “cloud computing is no good because strangers would have access to our data.” Dilbert tries to explain encryption technology is trustworthy—certainly more trustworthy than Mordac himself. The grain of truth here is that, within any organization, there are still mixed responses to cloud computing.
Today, enterprises are adopting cloud computing in a big way. According to CIO.com, the National Association of State CIOs (NASCIO) recently surveyed its members and reported cloud adoption is the second biggest priority for CIOs, only after cybersecurity. But CIOs today are still choosy about what data they want to place in the cloud. The majority have asserted that they do NOT want to put confidential company financial data or credit card data in the cloud. Makes sense—personal information data leaks are terrible PR.
Simply stated, the perception of cloud computing at most companies is mixed. Those advocating for the cloud speak to its improved agility, flexibility, high performance and lowered costs. Those who are still on the fence are concerned about data security, decentralization of their IT team, service reliability and the loss of control over their IT ecosystem. Both sides of the debate have valid points.
10 Key Imperatives
To increase acceptance and adoption of cloud computing at your organization, there are 10 must-haves that can be sub-divided into two groups – infrastructure imperatives and information security imperatives. The first set is the infrastructure imperatives, which affect the cloud-hosting environment:
- Federated identity management & access control– The cloud-based system must permit several users at a time, with differing levels of access to ensure proper segregation of duties.
- Centralized control and visibility over the IT landscape– The IT manager should have the capability to monitor and manage the system from a centralized console.
- Dynamic failover protection & data replication– The system should guarantee 99.5 percent reliability as a minimum.
- Automated application performance management– For a uniform user experience, the system should ensure performance as per the service-level agreement (SLA).
- Network segmentation– The ability to segment and segregate the networks, across various customers, will ensure minimal propagation of any cybersecurity issue. Given the proliferation of cybersecurity threats and vulnerabilities, the remaining five are information security imperatives that apply to both hosted and otherwise.
- Continuous threat and vulnerability assessments– Data center security needs to be assessed regularly to ensure adherence to latest information and network security standards.
- Security upgrades and monitoring on demand– Monitor security posture and ensure that regular updates are being provided as per the latest set of cyber-threats.
- Meta-data driven information security– Analysis of meta-data being generated across the security and system logs will identify significant, potentially malicious, patterns.
- Continuous control monitoring of policies– It is vital to have continuous monitoring and adherence to security, access and other policies across the cloud.
- Virtualized security & perimeter controls– The security and perimeter controls need to percolate to the virtualized machine level.
How can we achieve these imperatives across cloud-based deployments?
The enterprise needs to implement a robust governance-risk management-compliance (GRC) framework across the complete cloud infrastructure, which can act as a the single source of truth across all regulatory compliances, security and access controls as well risk and vulnerability assessments.
Wish list for a GRC Framework
First, let’s look at the “bare minimum” requirements for a GRC framework for cloud computing:
- Continuous system monitoring– Feed regular system related logs and reports into the GRC framework for continuous risk assessments.
- Penetration Testing audits– Audit the third-party penetration test results, findings and remediations on a pre-determined schedule.
- Incident response management– Create and manage a defined workflow within the organization to ensure a coordinated response from various departments such as IT, Legal, Finance, etc. and respond appropriately to any cloud security events.
- Data portability testing– Perform a yearly or quarterly audit and document the process and audit findings to ensure that the data is portable across data centers.
- Disaster recovery & business continuity– Ensure that proper disaster recovery and business continuity measures are in place along with regular tests and documentation.
- Onsite & offsite backup audits– Audit backups to check for their ability to restore data.
Once the must-haves have been checked off, here is a list of “nice to haves”:
- Data encryption audits– Audit and document the storage control and key management procedures for encrypted data. This is typically applicable for sensitive data only.
- Forensics log management and reporting– Analyze meta-data continuously generated by system and security logs, and identifying any adverse patterns.
- Elasticity & load tolerance testing– Ensure that resources can be augmented in the peak performance periods by performing regular load tolerance and elastic demand management testing.
- Advanced cyber-attack prevention measures– Monitor and implement cyber attack prevention measures pro-actively by integrating with new threat and vulnerability solutions.
- Advanced cloud security analytics– Establish an advanced cloud security analytics information center as part of the GRC dashboard and centralize its monitoring and management.
Apart from the components listed above, as the cloud computing world evolves, there is an increasing number of regulations and checklists coming up to ensure its adherence to established standards, including SSAE16 SOC 2 controls, FedRAMP certification, HIPAA regulation and Cloud Security Alliance (CSA). Your organization’s GRC framework for cloud should be able to streamline the audit and checklist-based assessments around these and ensure proper adherence to world-class standards for cloud adoption and security.
An integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.
April 29, 2015 | Leave a Comment
As many of you know, we recently released the results of the first ever data tracking experiment in the Dark Web. In the “Where’s Your Data?“ experiment, we used our patent-pending watermarking technology to embed invisible trackers within an excel spreadsheet of 1,568 fakes names, SSNs and credit card numbers. We then placed this spreadsheet in 8 locations within the Dark Web, and tracked where it travelled to and how fast it could spread. 12 days, 1,100 clicks, 47 downloads, 22 countries and 5 continents later we had our answer.
In speaking with a few attendees at the RSA conference, it became clear that some folks viewed the experiment as malware (a typical response from some of security’s more apprehensive bunch). A typical question was, “so you essentially used malware against them?”
I thought it was pretty funny, laughing as I explained more about the experiment to them, because they did have a fair point. If you really think about it, the watermark can be considered “malware-esque.” In actuality, it’s a tool built to provide enterprises with visibility into where corporate data is travelling, so that they can act accordingly. Embedding hidden sprinkles within documents, and then extracting data as a result of it (in this case user, device type, location, time) does strike an uncanny resemblance though. I guess you can call it white-hat hacking.
Today’s security world reminds me of the classic fantasy tales, where it seems like the bad guys always have the better gear (think Star Wars, Lord of The Rings, Fast and the Furious 7). Way cooler, way faster, way stronger, but the good guys always prevail. This watermark technology helps even the playing field a bit, giving the good guys a pretty badass weapon to fight back against the hackers and cyber criminals.
And you know what? The industry deserves this. Too long have companies feared moving to the cloud. Too long have breaches gone unnoticed, affecting millions of customers in the process. It’s not fair to the people whose data has been lost. Today 53% of breaches are the result of malware. It’s about time we start shrinking that number considerably.
As securers our job is to be a modern day blacksmith, forging technology that enterprises can use to protect themselves from the crooks. Happy to be working for a company that gets that.
April 27, 2015 | Leave a Comment
By Chau Mai, Sr. Product Marketing Manager, Skyhigh Networks
According to Gartner, CISOs face a “double-edged sword” as they are tasked with combating the growth of shadow IT while enabling secure access to approved cloud services. Cloud file sharing and collaboration services can be an area of risk as industries must remain vigilant about protecting their IP, ensuring regulatory compliance, and meeting data residency requirements. Today, we’ll take a look at cloud file sharing and collaboration for one industry in particular, Financial Services, which is subject to regulatory requirements including GLB, PCI DSS, and state and national privacy laws.
What specific challenges do Financial Services firms face?
Whether you’re a bank, an insurance company, or an investment advisory firm, sending your confidential information up to a cloud file sharing services comes with a unique set of concerns:
- External collaboration governance, i.e. control over how sensitive files shared outside the company
- Compromised accounts and data theft from insiders
- Content and compliance, i.e. ensuring that sensitive files that are subject to compliance do not leak out of the organization
- BYOX and content proliferation, i.e. the rise of mobile and the growth in content being accessed from anywhere and from any device
Across all cloud service categories, file sharing accounts for 39% of all company data that’s uploaded to the cloud – and the average company uses 49 such services. Among file sharing users, 34% have uploaded sensitive information to one of these services, information that includes personally identifiable information (PII), payment card information, or other sensitive data that financial services firms own. What’s more, 21% of documents uploaded to file-sharing services contain sensitive or confidential data – not a trivial amount. Lastly, the sharing of information is occurring outside the company itself. Skyhigh found that 18% of external collaboration requests actually went to third-party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail). File sharing enables collaboration, which is a good thing, but when sharing is extended to un-verified personal accounts it can create risk for the organization.
How can firms safeguard themselves?
Fortunately, there are a host of cloud file-sharing providers who are dedicated to ensuring that your data is safely housed within them. Box, for example, provides security features to help you configure permissions and privileges, set custom security policies, and track activity that occurs in Box. They are one of the rare cloud file sharing and collaboration providers that do all three of the following: provide granular access controls, encrypt data at rest, and support multi-factor authentication.
Looking at the market as a whole, we see that only a fraction of cloud file sharing providers provide these key security features:
- Provide granular access controls – 53%
- Encrypt data at rest – 36%
- Use encryption strength 256-bit or higher – 22%
- Support multi-factor authentication – 16%
- Penetration testing performed by the cloud service provider – 36%
- Compliance certifications (such as ISO 27001, SOC2, etc) earned by the cloud service provider – 64%
When we compare all file-sharing services against those providers who specifically have an Enterprise offering, the differences are even more telling. The data shows that a higher percentage of providers with an Enterprise file sharing offer support for all of the security features mentioned above (for example, 46% support encryption at rest, vs. 36% for all cloud file sharing services). Improvements were found in other areas as well; for example, the percentage who supported anonymous use – which is seen as adding risk – dropped from 18% to 6%. From these data points, we can see that companies who sell to large enterprise have an interest in fulfilling the more stringent security and compliance requirements that those customers want.
In addition to the cloud providers themselves, end-users play a key role. We know that most employees who use cloud file sharing services are well-meaning users who simply need to be educated on what’s appropriate and what’s not. (My previous post outlines how just-in-time coaching can reduce your firm’s use of high-risk by 65%).
Gartner suggests that companies with stringent security and compliance requirements consider a Cloud Access Security Broker (CASB) to augment the native security capabilities of cloud file sharing and collaboration services. According to Gartner, a CASB should provide visibility, threat detection, compliance, and data security capabilities. If you’d like to learn more, Gartner has published a set of recommendations for organizations interested in mitigating the risks of moving to file-sharing services while reaping the benefits.
April 23, 2015 | Leave a Comment
By Krishna Narayanaswamy, Founder and Chief Scientist, Netskope
Last week, we released our Netskope Cloud Report for this quarter – global as well as Europe, Middle East and Africa versions.
This report builds on our January Netskope Cloud Report in which we highlighted research on compromised user accounts. In it, we estimated based on our research that 15 percent of enterprise users have had their credentials stolen in a prior data breach. This quarter, we report that that number is 13.6 percent over the report’s time period. We also correlate that data with the active usage data in our cloud. When you marry activity-level security analytics with data on compromised accounts, the risk picture becomes significantly more clear.
Among the more interesting findings from the report is that 23.6 percent of logins to Customer Relationship Management apps are by users who have had their account credentials (personal or corporate) compromised in a prior major data breach. While many IT and security organizations ensure that these important corporate apps are monitored and secured with an identity management solution, it’s an important reminder that users re-use logins and passwords across multiple accounts. It’s also important to note that for every one of these types of corporate apps, there can be dozens of ecosystem apps connected to it. So even if an app is well-secured, what about the apps that integrate with it?
Another key finding is that 70 percent of data uploads by users with compromised accounts are to apps that are rated “poor,” as compared with 30 percent for an average user. Monitoring cloud activity at the intersection of compromised users and risky apps goes a long way toward understanding security threats related to cloud apps – uploads to risky apps could signal data exfiltration, downloads could be malware, excessive activity could be a hijacked account. Looking at these pockets of activity can help you suss problems out quickly.
These are just a couple of examples to show the importance of understanding not just how many users with compromised accounts you have in your environment, but also how those users are interacting with your cloud apps and business-critical data.
April 21, 2015 | Leave a Comment
By Kamal Shah, VP, Products and Marketing at Skyhigh Networks
The cloud is having a measurable impact on business – IT departments are migrating to cloud services in order to take advantage of faster time-to-market, reduced operational costs, and reduced IT spending and maintenance costs. In addition, employees are rapidly adopting cloud services to help them do their jobs with greater mobility. Productivity is soaring, and this interconnectivity has given rise to a new economy: the cloud economy.
The seventh installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a hard data-based analysis of enterprise cloud usage. With cloud usage data from over 17 million enterprise employees spanning all major verticals, this report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services. And, this latest edition expands its scope to include the risk to enterprises from business partners connected through the cloud.
You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several eye-opening findings including the extent of cyber risk from partner connections. View the slideshow below for more highlights from the report.
8% of Partners Are High-Risk, but Receive 30% of Data
A number of attributes can classify a partner as high-risk, including being affected by malware of botnets, having compromised identities for sale on the darknet, suffering from a breach, or being exposed to vulnerabilities such as POODLE. High-risk partners receive 30% of all data shared with partners — a disproportionately large amount.
58 “Super Partners” Are Connected to Over 50% of Enterprises
Many partners are well connected among the largest organizations, meaning a vulnerability within a single partner could have far-reaching consequences. The risk of these super partners is higher than overall rate, with 12.5% considered high-risk. Top super partners include pest control, IT services, software, equipment manufacturing, hospitality, and consulting companies.
One Partner Has Over 9,000 Compromised Identities and 200 Devices with Malware
The report gives the risk attributes for several example partners. One airline had 9,716 credentials for sale on the darknet and 209 devices infected with malware. A financial services technology provider had 1,216 compromised identities across 19 darknet sites. An advertising agency had 1,565 compromised identities for sale across 29 darknet sites. All three partners are still vulnerable to POODLE.
Enablers of the Cloud Economy
Certain cloud services stand out as hyper-connectors, enabling the most partner connections. The top cloud connectors in the customer support category are Zendesk, Salesforce, and GrooveHQ. For file sharing, Sharefile, Box, and Wiredrive are the top connectors. In the collaboration category, the top connectors are Cisco WebEx, Slack, and Office 365.
Highest Risk Partner Categories
Not all partner categories are equal when it comes to risk. Telecommunications companies had the highest percentage of high-risk businesses, at 30% — double the rate of the tenth highest-risk category, Travel. Security teams should pay special attention to interactions with partners falling into the categories on this list.
April 10, 2015 | Leave a Comment
By Sam Bleiberg, Communications Associate, SkyHigh Networks
San Francisco hosts more than its share of conferences and festivals, and residents know the best way to maximize your time at events is to go in with a plan. With that in mind, we created a Skyhigh guide to RSA. Planning your agenda from the laundry list of speaking sessions is overwhelming. The guide specifically highlights sessions on cloud security from a host of industry voices including analysts, enterprise practitioners, board members, and the founder of the Cloud Security Alliance. (Not signed up for RSA? Get in free with this code.)
From Nonexistent to Gartner’s #1 Security Technology in Three Years: What’s a CASB?
Gartner analysts Neil MacDonald and Peter Firstbrook first called attention to the cloud access security broker (CASB) category in May of 2012. Two years later, Gartner named CASB the number one security technology for 2014. Cloud’s transformational power in the enterprise has driven the need for this layer of security, with features including visibility into shadow IT, data governance, and encryption. Learn why progressive organizations including Cisco, HP, Western Union, and Zurich Insurance rely on this tool within their security portfolios. Panel participants include some of the top names in enterprise security, as well as MacDonald himself as moderator.
Beware the Cloudpocolypse: A Panel on Security from Cloud Providers
While enterprise-ready cloud providers can be more secure than on-premise storage, the propagation of consumer cloud services in the enterprise and the lack of visibility into cloud use are leading down the path to a “cloudpocolypse.” With Cloud Security Alliance founder Jim Reavis moderating, this session should provide an excellent high-level introduction to the risk posed by line of business cloud adoption. Specifically, there should be an interesting debate on which security responsibilities reside with the cloud provider, security provider, and enterprise.
Cloud Threats to the Enterprise
Addressing the Cloud Security Challenge: A Practitioner’s Experience
Jim Routh, CISO at Aetna, is not only a forward-thinking security leader, he’s also an excellent speaker, and his talk at the Cloud Security Alliance Summit at RSA promises valuable insights from the practitioner’s perspective. Routh has taken a proactive approach to cloud visibility and security, making a point to cut the sensationalism out of security to focus on data-driven decisions.
Victims DON’T Have Their Heads in the Clouds: An Insider Threat Case Study
While Snowden made insider threat a top of mind issue for every security team, the reality is that small-scale insider threat incidents frequently fly under the radar. Cloud offers a dangerous vector for insider threat because organizations lack control for sanctioned and unsanctioned cloud services. Only 17% of companies reported an insider threat incident at their organization in the past year, but 85% of companies had cloud usage activity strongly indicative of insider threat. We highlighted six particularly nefarious tales of insider threat in the cloud; this panel should provide practitioners with useful tips for preventing cloud insider threat.
Something Awesome on Cloud and Containers
It’s a good rule of thumb to tune in whenever Rich Mogull talks cloud security. While the description is ambiguous, this talk featuring the Securosis founder is mandatory for those paying attention to the cutting edge of cloud security.
Six Degrees of Kevin Bacon: Securing the Security Supply Chain
The average organization connects with 1,555 partners through the cloud, with 30% of data shared going to high-risk partners. Despite being the source of high-profile breaches at organizations like Target, risk from the partner environment is underrepresented in security industry conversations. In the case of Target, a heating and cooling vendor served as the entry point for attackers. This session covers a key security vector – one that may lead to future breaches if not properly addressed. Review our Q1 Cloud Adoption and Risk Report for key risk metrics from partner cloud connections.
Catered to the C-Level
Inside the Boardroom: How Boards Manage Cybersecurity and Risk
Cloud use and security have risen hand in hand, from lines of business, to the IT department, to the CIO and CISO. In 2014, security finally arrived in the boardroom with multiple CEOs losing their jobs in response to data breaches. This panel offers multiple perspectives, including those of a board member and a CISO.
Security Metrics That Your Board Actually Cares About!
Further to the topic, Australia Post CISO Troy Braban will share tips from his experience on selecting security metrics that resonate with the board. With Australia’s strict data residency regulations, Braban’s perspective should have great insights for security practitioners at global organizations.
April 7, 2015 | Leave a Comment
By Chris Hines, Product Marketing Manager, Bitglass
783. That’s the total number of reported breaches involving stolen data that occured in 2014 alone.
When the story first broke about the Morgan Stanley breach, where an ex-employee stole corporate data and pasted it on a file-sharing site called Pastebin, it got us thinking. We all hear about these massive breaches that take place–Target, Home Depot, Sony, Anthem, Premera–but what actually happens to the data after it is stolen? Where does it travel to? How many people see it, and how much damage can it cause?
In an effort to find the answers to these questions, we decided to launch the world’s first data tracking experiment located in the Dark Web. So, what did we do? We created an excel spreadsheet of 1,568 fake employee credentials, then placed it on anonymous file sharing sites within the “Dark Web,” using a Tor browser as our entry point. We tracked the data as it travelled to various sinister locations around the world, and as it was shared amongst cyber-crime syndicates overseas. But how?
Here at Bitglass we have developed the first watermarking security solution on the planet. The patent-pending tracking technology works like this.
- Document travels through Bitglass proxy when downloaded from a cloud or on prem application and down to a mobile device.
- When this occurs, the document is automatically embedded with an invisibe watermark.
- Every time the document is opened, a “ping” is sent to the Bitglass portal displaying: user name, file name, geographic location, IP address and device type.
- Even if a watermarked document is copied and pasted elsewhere, or mutilated in some way, the watermarks still persist.
What we found from this experiment will change the way that our industry views data security today, and shine a light on the need for greater visibility into where sensitive data travels. Especially after a breach.
Who’s keeping tabs on your data?
Watch the video and download the report to see what we uncovered.
April 2, 2015 | Leave a Comment
By Stephanie Bailey, Senior Director/Product Marketing, Perspecsys
Despite the clear benefits of the cloud, many enterprises still hesitate to fully adopt or capitalize on all the advantages. There are a few key reasons for hesitation, including the prevalence of data breaches and hacks in recent years, stricter data residency requirements across geographical boundaries and internal restrictions brought about by company policies or industry requirements – and consumers. Each of these causes for delaying full adoption of the cloud is a consideration that requires a deeper look into potential strategies to diminish or remove possible risk to the enterprise.
Rise in Breaches & Hacking
In recent years, reports of data breaches across all types of industries and company size seem to occur on a regular basis. A recent PwC survey found that the number of security incidents detected in 2014 was 42.8 million, equaling an annual increase of 48%, with an average cost of $2.8 million dollars [i]. Of course many breaches go undetected or unreported so that number along with financial losses could be much higher. It’s no wonder that these reports cause some organizations to slow down and reevaluate their move to the cloud.
All of this means enterprises must contend with two separate security issues – external and internal. The external security issue means dealing with the loss of control associated with sending sensitive or regulated data to a 3rd party cloud service provider (CSP) and having to trust that information is processed and stored in a secure and compliant way. The internal issue entails having to figure out how to properly establish and implement the proper security standards to protect data within the corporate firewall, especially focused on challenges such as the rising prevalence of “bring your own device” and mobile computing.
Geographic Residency Requirements
Cloud data privacy laws can vary greatly by country and region. Currently, the European Union, and Germany, in particular, has some of the strictest laws in the world – creating a more restrictive environment for enterprises. Various geographic data residency requirements prevent some enterprises from moving regulated data outside of the borders of the countries in which they operate. Maintaining strict security standards is an especially important issue for countries concerned with the collection of personally identifiable information (PII). Since a CSP may store data, including PII, in any number of data centers worldwide, this prohibits some enterprise from taking advantage of the cloud if they operate within some of these stricter geographic regions.
Internal & Industry Requirements
There are also data privacy concerns driven by internal management and/or defined by external industry guidelines. An enterprise’s list of internal security requirement is often evaluated against published industry standards to ensure that sensitive information is adequately protected. These standards may be legally required by industry, government or again, geographic region. Many industries depend on the collection of PII to conduct daily business operations, serve customers and process payments and receipts and therefore have strict regulations about how and where this data may be stored and shared.
Cloud data privacy issues are also a key concern for individual consumers using an organization’s or business’ cloud application. With the proliferation of the Internet and cloud computing more PII is being shared online, making individuals vulnerable to security risk. Increasingly, savvy individuals want to know that the information being put in the cloud is adequately protected and secured by the organization.
Finally, many B2B enterprises find that their business contracts have specific stipulations associated with how their business customer’s data needs to be treated – especially if it is going to be processed in cloud-based 3rd party systems as part of the contractual service being provided. These contractual relationships can have severe penalties associated with data exposure, so enterprises need to take special steps to mitigate against any security risks.
How to Address These 3 Reasons for Hesitations
There is little doubt that proliferation of business-improving cloud applications will continue to increase in the coming years and provide business advantages to those that adopt. The question becomes how enterprises hesitating now can reevaluate and begin adopting popular cloud applications while adhering to the security demands they must meet. One option enterprises have choose is to forgo public cloud applications and develop a private cloud – a costlier option with less access to leading innovations in most cases. But there are other strategies for adopting popular public cloud applications without forgoing security requirements. It begins with a well architected security plan that includes implementing a strategy such as cloud encryption or tokenization that can protect data before sending it off-site to any public cloud applications.
One emerging strategy is to implement solutions in a technology category known as Cloud Access Security Brokers (CASBs). With CASBs, organizations have a hosted or on-premise control point for all data as it moves to the cloud. Gartner recently published a report that discussed the growing use of CASB to enforce core security policies for data moving to the cloud – stating CASBs “will become an essential component of SaaS deployments by 2017”. [ii] Forrester’s recent Market Overview on Cloud Data Protection Solutions (CDP) went so far as to say, “CDP Solutions Are a Mandatory Security Control.”[iii] This is a fast-paced space that will have a high impact on cloud computing going forward – particularly for those enterprises currently hesitating to fully adopt the cloud now.
March 27, 2015 | Leave a Comment
By Raj Samani, Vice President and CTO, McAfee EMEA
Can we really trust cloud computing? Or perhaps more importantly do you trust the cloud? And does the perceived lack of transparency, combined with recent negative headlines, impact future investments in cloud computing?
In conjunction with the Cloud Security Alliance, we have prepared a survey to gain a better understanding of the perceived trust within cloud computing. Our Cloud Trust survey is intended to tell us about levels of trust and where the fundamental differences lie between certain geographies and organizations (by size).
The reality is that cloud computing plays an integral role in our digital lives and allows all of us to focus on what matters most while outsourcing the work required to deliver our email, host our websites and much else. Gaining an understanding of the emerging security and privacy requirements is important. It gives us a platform that we can trust and rely on, both as consumers and within our work lives.
We therefore really need your help. Please take five minutes to provide your feedback. Let us know your perception of how trustworthy cloud computing is and has been, and more importantly the measures that are required for the future cloud. The survey can be found here.
So far the results make for some really interesting reading, most notably that the cloud is seen as considerably more trustworthy than 12 months ago. We will keep the survey open a little longer and publish a report based on the findings. This will help all of us as an industry introduce the necessary trust within the cloud computing services that we rely on.
March 26, 2015 | Leave a Comment
By Chris Hines, Product Marketing Manager, Bitglass
“As soon as you allow a user to have access to the cloud applications, let’s say it’s a file sharing service, inevitably they want to do it from their own device, from home, from their ipad, from their android device, inevitably this will happen” – Neil MacDonald, Gartner Analyst
Given the abundance of mobile devices, coupled with the productivity and cost reduction benefits they bring, the number of companies that allow employees to access sensitive corporate data from their personally-owned devices has continued to flourish. According to Gartner, by 2017, over half of organizations will actually FORCE users to bring their own device to work.
This proliferation of data that is now moving outside of company networks, down to things like employee-owned smartphones, tablets and laptops can increase the chance of data leaking out and getting into the wrong hands. This is perhaps why BYOD has become a huge pain point for professionals looking to secure mobile devices (I’m sure a lot of you are already cringing at the thought of BYOD security). It also doesn’t help that the employees themselves have a false sense of mobile security savvy.
It turns out that surprise, surprise, smartphone users are making silly and unsafe mistakes when it comes to privacy. A survey of 1,000 smartphone users done by security firm Lookout, found that of those that said they were security savvy –52% admitted to not read privacy policies before downloading mobile apps, 34% didn’t set a PIN or passcode on their phones and 35% downloaded mobile apps from unofficial marketplaces. It’s also important to point out that 76% connect to public wifi networks, increasing the risk of cyber criminals getting their hands on sensitive data coming down to mobile devices.
So, how do you solve for BYOD security?
If you want to secure BYOD devices you should invoke a “managed” vs. “unmanaged” device profile policy within your company. Here is a diagram that demonstrates what a policy like this might look like.
As you can discern from the diagram there are very different contextual access controls, application access and data protection techniques used for managed vs. unmanaged devices. Since “managed” devices pass the contextual access control test they can then access any cloud application they would like, and have full access to all data stored within them. Because of the managed device profile, these pose significantly less risk to your corporate data then “unmanaged” devices.
Unmanaged devices do not pass the contextual access control test, limiting their application access capabilities to sensitive data and increasing the data protection methods used to protect against them. This profile involves controlled acccess. A clear example of this would be forcing unmanaged devices into an encrypted container for all downloads made from cloud apps, and redacting certain keywords before they hit the device.
The managed vs. unmanaged approach to security works because no matter what your security posture may be, it allows for BYOD security while providing the productivity, and cost reduction benefits companies were aiming for to begin with.
Now that you know how to achieve BYOD security, it’s time for you to take a look at your own infrastructure and start building your device profiling strategy. Here’s how to get started