SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong? Arrow to Content

September 29, 2014 | Leave a Comment

By Patriz Regalado, Product Marketing Manager, Venafi

The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app.  People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer.  What could possibly go wrong?

mobile_phone_app_security_600x300Well, evidently there’s a lot that can go wrong.  SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information.  What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:

  • 92% for  Gmail
  • 83% for Chase
  • 92% for H&R Block
  • 86% for Newegg
  • 85% for WebMD
  • 83% for Hotels.com
  • 48% for Amazon

FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks.  FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates.  And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.

It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps.  Mobile apps, just like websites, use the same method to secure communications—SSL/TLS.  However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks.  For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.

Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities.  It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.

 

 

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 2 of 2) Arrow to Content

September 25, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

In my previous post, I addressed three major trends that play an immense role in cybersecurity initiatives. These trends include the growth of digital business, information risks, and regulatory requirements. In this post, I’ll focus on issues related to collaboration and compliance. Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems?

First, ensure that your strategy and policies are clear with respect to collaboration and compliance. These statements should address those areas requiring external and internal collaboration and the regulatory environment in which you operate. They should also address those information risks that are most significant for the organization. Since all of these topics evolve rapidly, you should conduct regular executive and Board-level reviews of these plans and policies.

Second, ensure that you have the appropriate staff, organization, and business processes to implement the above plans and policies. Management and staff development for these issues is vital and particularly challenging since the environment is so dynamic. A recent survey by Gartner summarizes these issues well. However, this organizational development will be essential to realize the 80% new business models in the next five years described in the above Accenture survey. Many organizations are developing enterprise-wide governance, risk management, and compliance (GRC) programs. GRC programs include governance (the processes by which executives and boards manage the enterprise), risk management (the processes by which management addresses risks to the enterprise), and compliance (the processes with which the enterprise complies with applicable laws and regulations). As enterprises become increasingly information-intensive, the protection of information assets is becoming more important in all three primary aspects of GRC programs.

Finally, enterprise systems must perform a broad range of business-critical functions, including the implementation of the above policies and business processes necessary to enable digital business agility, to protect sensitive corporate information, and to enable regulatory compliance. The challenge for CIOs is to design and operate these systems balancing requirements for functionality, performance, and costs while providing necessary security and compliance with corporate policies and regulatory requirements. End users will focus on functionality and performance, the CFO will focus on the costs, while the GRC program must ensure proper security and compliance. There is a growing market for systems to implement the policies and procedures of a GRC program, but the definitions of policies and procedures must precede selecting a GRC platform.

It is clear that we will continue to see the growth on importance in secure collaboration and regulatory compliance in the development of digital business. The ancient curse, “May you live in interesting times” certainly applies to today’s business environment.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

Worse than Heartbleed? Arrow to Content

September 24, 2014 | Leave a Comment

Jim Reavis, Cloud Security Alliance

Today at 10am EST a vulnerability in the command shell Bash was announced (http://seclists.org/oss-sec/2014/q3/649 and http://seclists.org/oss-sec/2014/q3/650). Bash is a local shell, it doesn’t handle data supplied from remote users, so no big deal right? Wrong.

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

To test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you’re vulnerable it’ll print:

vulnerable
this is a test

If you’ve updated Bash you’ll only see

this is a test

There is more information available at the following links:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

And patches for Bash (most versions in the last 15 or so years) are available:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

Enabling Secure Collaboration and Compliance by Mitigating Increasing Information Risks (Part 1 of 2) Arrow to Content

September 24, 2014 | Leave a Comment

By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.

The growth of digital business, information risks, and regulatory requirements are major global business trends that have an immense impact on cybersecurity. These trends are prevalent throughout a broad range of industries – including the financial, aerospace and defense, and retail sectors, among many others – and present many opportunities and threats.

Realizing the potential benefits from digital business requires significant transformation involving greater collaboration with customers, suppliers, partners, and regulators. Performing this collaboration in a timely, cost-effective, and secure way in compliance with necessary laws and regulations is a necessary competency for many organizations.

Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. While cyber threats from external organizations are very serious, many types of information risks also arise from lack of training and awareness of regulations and business practices or from errors in implementation.

Risk and compliance are increasingly important areas for corporate executives and board members in many industries, notably including those discussed here.

The Global Growth of Digital Business and Distributed Collaboration

Five years ago, Forrester and Adobe published a report on the future of business collaboration. In that report they state “Today’s collaboration requirements are only a midpoint on a trend line toward a highly distributed, digitally connected, partner-fueled, and customer-driven future.” In the past five years, the world has accelerated significantly toward that future.

Last year the McKinsey Global Institute published a report in which they predict that within a decade there will be more than 2 billion people with Internet access and that we will see $5T-$7T of economic impact from automation of knowledge work. Another recent McKinsey paper stated, “Digitization is rewriting the rules of competition.” The authors also observe, “For businesses, digitization is transforming even physical flows of people into virtual flows, enabling remote work through tools for global collaboration.”

In January, Accenture published a survey of “500 C-level executives from 10 economies (both developed and emerging) about the key influence on their corporate strategy over the next five years.” There are two results to cite here. First, “the ability of technology and innovation to reshape industry norms and boundaries was most commonly cited as the most important structural shift that businesses will face over the next five years.” Second, “60 percent plan to pursue growth in, or in collaboration with, other industries, and “80 percent are planning growth via new business models.”

Similar analyses and examples like the incredible growth of new technology-driven companies like Google and Facebook all show the accelerating pace of digital business and the importance of connected collaboration in the business environment.

The Global Growth of Information Risks

A recent report by the World Economic Forum contains this conclusion:

“Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks — and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.”

These cyber threats are very diverse. Incidents within the past 12 months arising from diverse external threats include:

  • The Heartbleed incident exploiting vulnerabilities in the Internet infrastructure
  • The Target breach exploiting supply chain vulnerabilities
  • CryptoLocker (and further generations of ransomware) exploiting software default and human behavior
  • The JP Morgan breach exploiting web server vulnerabilities

As noted earlier, many other types of information risks arise from lack of training and awareness of regulations and business practices or from errors in system or process implementation. For example, the most recent Verizon Data Breach Report notes that “miscellaneous errors” (e.g., sending email messages with sensitive information to incorrect recipients) cause more than 25% of data breaches. The report states collaboration with external partners about sensitive information can often lead to problems without proper management attention: “…business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other.”

By 2020, threats to critical infrastructure will be even more significant than what we face today. With industries accelerating digitization to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and information security, but to operations and safety. Examples such as Stuxnet and Shamoon have damaged operations in significant ways. These cases are modest compared to what could happen this decade.

The Global Growth of Regulatory Compliance Requirements

The US regulatory environment has grown steadily in the past several decades. While measuring the scale and economic benefits is uncertain and controversial, some metrics give insight into this growth. Data from the Mercatus Center at George Mason University shows that the total word count for federal regulations now exceeds 100 million. Moreover, the growth of this total has exceeded the growth of the US GDP since this analysis began in 1997. The US Office of Management and Budget produces an annual report on the costs and benefits of regulation but acknowledges the large uncertainties and omissions in their estimates. However, there is no doubt that costs in the US alone are in the $100’sB annually. Compliance elsewhere is also significant, notably in the European Union.

There are many types of sensitive personal and corporate information protected by thousands of regulations. These include regulations for personal health and financial information, export control, intellectual property, Board proceedings, public company filings, mergers and acquisition plans, etc.

The growth in the size of corporate compliance staffs and in their compensation illustrates the increasing importance of regulatory compliance. Failures have led to significant fines and imprisonment. As a result, many new Chief Compliance Officers have direct reporting relationships to top executives and their boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of the growth of this area.

Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.

Addressing the Combined Impact of These Trends on Strategic Business Planning and Operations

Together these trends add up to the following conclusions:

  • The growth and trajectory of key areas of information technology – cloud, mobility, social media, big data, etc. are having inescapable impacts on business plans and operations. These are now C-Level and Board issues with significant operational impact.
  • Information risks have also become C-Level and Board issues. For example, the recent Target breach was a key factor in the resignations of the CEO and other executives and in litigation filed against several Directors for lack of proper oversight.
  • While the global net value of regulatory compliance may be debatable, the requirements for enterprise compliance are not. The growth of digital business with larger information risks will lead to further types of regulation.

Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems? We’ll discuss this and more in the second part of this blog series coming soon.

About the Author

Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.

New CSA Survey Reveals Emerging International Data Privacy Challenges; Discrepancies Illustrate the Demand for Data Protection Harmonization Arrow to Content

September 23, 2014 | Leave a Comment

By Evelyn de Souza,Data Privacy and Compliance Leader, Cisco Systems

According to a new survey from Cloud Security Alliance sponsored by Cisco, there is a growing and strong interest in harmonizing privacy laws towards a universal set of principles. Findings include overwhelming support for a global consumer bill of rights, global themes regarding data sovereignty, and the OECD principles as facilitating the trends of IoT, Cloud and Big Data.

Data privacy considerations are often overlooked in the development phase of cloud, IoT and Big Data solutions and put in the “too hard” basket. Historically, data privacy experts and the Information Security industry at large have focused deviations between different regions, instead of the similarities, which could encourage more effective collaboration.

The Cloud Security Alliance tested the existence of universal data privacy and data protection concepts and the extent to which these can be drivers for global co-operative efforts around Cloud, IoT and BigData. We hand-picked over 40 of the most influential cloud security leaders worldwide for their insights on existing international data protection standards and demands. The Data Protection Heat Index Survey Report was structured in four parts and the findings were highly indicative of a positive role that privacy and data protection principles can play in the development of cloud, IoT and big data solutions.

Data Residency and Sovereignty
Many organizations struggle with issues around data residency and sovereignty. However, there was a common theme of respondents identifying “personal data” and Personally Identifiable Information (PII) as the data that is required to remain resident in most countries.

Lawful Interception
Responses indicated a universal interpretation of the concept of lawful interception with responses such as: “The right to access data through country-specific laws if the needs arises, i.e. data needs to be made available for a cybercrime investigation.”

User Consent
73 percent of respondents indicated that there should be a call for a global consumer bill of rights and furthermore saw the United Nations as fostering that. This is very significant given the harmonization taking place in Europe with a single EU Data Privacy Directive for 28 member states. As well as with the renewed calls for a U.S. Consumer Bill of Privacy Rights in the United States and cross-border privacy arrangements in Australia and Asia.

Privacy Principles
Finally we explored whether OECD privacy principles that have been very influential in the development of many data privacy regulations also facilitate popular trends in cloud, IoT and big data initiatives or cause room for tension. The responses were very much in favor of facilitating the various trends.

The Data Protection Heat Index survey findings indicate a shared interest in incorporating emerging privacy principles into new solutions versus trying to retrofit existing solutions. The survey report includes an executive summary from Dr. Ann Cavoukian, Former Information and Privacy Commissioner of Ontario, Canada and commentary from other industry experts on the positive role that privacy can play in developing new and innovative cloud, IoT and Big Data Solutions. Download the Data Protection Heat Index survey report. Please tell us what you think by posting your comments below.

Where do you see opportunities for broader industry co-operation around data protection and data privacy?

Evelyn de Souza is a Data Privacy and Compliance Leader at Cisco Systems, where she focuses on developing industry blueprints to help organizations embrace the cloud securely and ensure data privacy in an agile manner. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn previously co-chaired the CSA Cloud Controls Matrix working group and played an integral role in guiding its development and evolution.

 

 

The Cloud Perception-Reality Gap Lives On in CSA Survey Arrow to Content

September 22, 2014 | Leave a Comment

by Krishna Narayanaswamy, Netskope Chief Scientist

Screen Shot 2014-09-22 at 3.47.15 PMI thought we had moved beyond the cloud app perception-reality gap.

Shadow IT has been a topic of much conversation in the media, at conferences, and among our customer and partner communities for the past several years. Gartner highlighted the issue when the analyst firm declared cloud access security brokers as the #1 information security priority for this year. And vendors have been reporting for over a year on the many hundreds of cloud apps they observe per enterprise. This is a known issue.

But if you read “Cloud Usage: Risks and Opportunities Report,” which was released by the Cloud Security Alliance on Friday, you may think you’re reading a report from last decade. The report details results from a survey conducted by the Cloud Security Alliance to 165 IT and security practitioners across a variety of industries and geographies.

Among the many surprising responses, three findings particularly struck me:

  • How many cloud apps do people think they have? According to the report, more than half (54 percent) of respondents believe that they have ten or fewer cloud apps. Ten or fewer! I use ten cloud apps in my first fifteen minutes at work each day. OK, that’s a slight exaggeration, but not by much. A full 87 percent of respondents believe they have 50 apps or fewer. When we perform a Cloud Risk Assessment for our customers and prospects, we ask this question. The most common answer is 50, and the average we find is 508 apps. That’s a ten-fold difference.
  • How much sensitive content is shared? According to the report, nearly half (48 percent) of respondents believe that less than 5 percent of their sensitive content in the cloud has been shared with unauthorized individuals or individuals outside of the organization. I think that’s low. In our cloud, we see that there are three shares for every content upload within cloud storage, and 49 of the 55 app categories we track have apps that enable sharing. That’s a lot of sharing.
  • How many apps are connected to the corporate directory? According to the report, 44 percent of respondents believe that 5 or fewer apps are integrated with their corporate directory. I guess that’s not surprising given #1, but if you believe that the reality is that organizations have 508 apps on average, that’s less than one percent. Given all of the recent data breaches, including ones involving cloud-based remote access technologies, you’d think that organizations would either want to authenticate users as they log into cloud apps or enforce policies to steer users to similar apps that are integrated with the corporate directory. After all, many of these apps are business-critical and house sensitive data.

Many of our customers and prospects have become a lot more aware of shadow IT, but based on this survey, it looks like we still have work to do to educate organizations about the magnitude of the issue, and what steps can be taken to discover and safely enable those apps. Get the full report here.

Call for Volunteers: Critical Areas of Focus in Cloud Computing/Guidance v4 Arrow to Content

September 19, 2014 | Leave a Comment

By J.R. Santos, CSA Global Research Director

screensToday at our annual CSA Congress in San Jose, we are announcing a formal recruitment effort for volunteers to help develop the next Critical Areas of Focus in Cloud Computing Guidance, version 4.

This is among the most important guidance documents the CSA makes available to cloud users, as it plays an important role in helping users establish a stable, secure baseline for cloud operations. It also provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.

This next iteration of the Guidance will extend the content included in previous versions with practical recommendations and requirements that can be measured and audited. As a CSA industry expert author, you will have the opportunity to present a working product that is measured and balanced between the interests of cloud providers, cloud brokers, auditors, and tenants.

This adoption of cloud is intended to include new technologies in big data, mobile, IoT, SDN, and interoperability and portability in the cloud. Guidance, version 4 will also incorporate lessons learned from CSA working groups and other various CSA activities into one comprehensive C-level best practice.

Most importantly, Guidance, version 4 will serve as the gateway to emerging standards being developed in the world’s standards organizations, and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.

Sound challenging and interesting? Then join us! We welcome your time, ideas and energy in making the next Critical Areas of Focus in Cloud Computing Guidance a continued benchmark document that looks to the future in helping managers adopt the cloud paradigm safely and securely.

If you would like to contribute, please fill out the following on-line form at https://cloudsecurityalliance.org/research/guidance-v4-volunteer/.

After the form is complete, someone from the CSA Research Team will contact you with next steps.

CSA Hackathon On! Launches Today at CSA Congress 2014 Arrow to Content

September 18, 2014 | Leave a Comment

Today at 9 am PT, we officially kicked off our second Hackathon, where we are inviting the most determined of hackers to break CSA’s Software Defined Perimeter.

As background, the Software Defined Perimeter (SDP) is a new security concept being standardized by the Cloud Security Alliance (CSA). SDP combines time proven security concepts (such as need-to-know access) with new technologies (like Mutual TLS with DHE) into an integrated package. 

This new approach to security mitigates network-based attacks by dynamically creating perimeter networks anywhere in the world—including in a cloud, on the DMZ, and in the data center. SDP is designed for a wide range of applications from protecting Internet-facing web sites to enabling secure hybrid cloud networking.

For the purpose of this Hackathon, an SDP in one public cloud will be used to protect a high value file server in a different public cloud. And, since this challenge simulates an insider attack, participants will be provided with the IP addresses of the Target server as well as the SDP components protecting it.

The first participant to successfully capture the target information on the protected server will receive $10,000 in cold hard cash – and in the currency of their choice for those bitcoin fans! All participants will also be entered into a drawing to win $500.

The rules – well, that would be silly – hackers don’t play by the rules, now do they? There are none!

Spectators and hackers can use CSA’s Twitter feed to monitor event progress and ask questions from anywhere in the world, anytime.

To get started, visit https://hacksdp.com and scroll down to the Getting Started section for instructions.

What are you waiting for? Get Hacking!

Financial Survey Now Open: How Cloud Is Being Used in Financial Sector Arrow to Content

September 18, 2014 | Leave a Comment

By J.R. Santos, Global Research Director

moneyToday at CSA Congress 2014 here in San Jose, we are announcing the opening of an important survey we hope that you will take part in. The ‘How Cloud is Being Used in the Financial Sector’ survey aims to accelerate the adoption of secure cloud services in the financial industry, by enabling the adoption of best practices.

Some quick background on the group. At CSA Congress 2013, we introduced the Financial Services Working Group in an effort to provide knowledge and guidance on how to deliver and manage secure cloud solutions in the financial industry. A secondary objective of the group is to foster cloud awareness within the sector and related industries. The group’s efforts are designed to complement, enrich and customize the work of other CSA working groups to provide a sector specific guidance.

This inaugural survey from the group aims to identify the following:

  • The industry’s main concerns regarding the delivery and management of cloud services in financial sector
  • Industry needs and requirements (both technical and regulatory)
  • The adequate strategic security approaches to ensure protection of business processes and data in the cloud
  • Potential gaps in existing CSA research and from the financial services standpoint.

We hope your will take a few moments to take part in this important survey. The 21 question survey is available at https://cloudsecurityalliance.org/surveys/fswgsurvey/ and will be open until October 26, 2014. The results will be published in late fall.

We would like to thank co-chairs Mario Maawad and Juan Losa, with Maria Louisa Rodriguez, Toni Felguera, and the volunteer members of the Financial Services Working Group for putting this survey in place.

Data Breaches and the Multiplier Effect of Cloud Services Arrow to Content

September 17, 2014 | Leave a Comment

By Eduard Meelhuysen, Managing Director, EMEA, Netskope

NS-Data-Breach-EU-IG-00We have had a number of conversations lately with our customers and partners about cloud security, with a particular focus on data protection in light of a growing number of data breaches. Against a backdrop of the iCloud hack and data breach revelations at major global corporations, the massive growth of cloud services is giving many IT and security professionals pause as they consider the impact that growth will have on data breaches in their organisations.

The cloud introduces new dynamics in enterprise IT, including massive cloud app growth, much of it outside of the purview of IT; mobile access to cloud apps; and cloud-specific capabilities like sharing, which make it easy for content to get out of an enterprise’s control.

Each of these dynamics could be considered a multiplier, or something that increases the probability of a data breach. To take the pulse of the market and quantify this idea, we asked the Ponemon Institute, a foremost expert in data breach research, to conduct a study on the topic. In support of our formal launch of Netskope in the Europe, Middle East, and Africa region, we are releasing “Data Breach: The Cloud Multiplier Effect.”

The report pulls from a survey of 1,059 IT and security practitioners across Austria, Belgium, Denmark, France, Germany, Greece, Ireland, Italy, Netherlands, Poland, Russian Federation, Slovakia, Spain, Sweden, Switzerland and the United Kingdom, and measures not only the multiplier effect that cloud services have on the probability and economic impact of a data breach, but also takes stock of perceptions of cloud vendor enterprise-readiness.

The report reveals several telling findings about the state of cloud security in EMEA, including:

  • The presence of cloud services can increase the probability and economic impact of a data breach involving the loss or theft of customer information by as much as three times.
  • A breach involving the loss or theft of 100,000 customer records would cost an organisation €13.6M, based on previously established cost metrics. Probability-adjusted, the expected economic impact comes to €1.63M. When asked about the increased use of cloud services, respondents projected a new probability that brought that estimate to nearly €5M.
  • 85 percent of respondents don’t believe their cloud provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.
  • 77 percent of respondents fear their cloud service provider would not notify them immediately if they had a data breach involving the loss or theft of customer data.
  • 57 percent of respondents believe their cloud service providers don’t use enabling security technologies to protect and secure sensitive and confidential information.
  • 72 percent believe their cloud service providers aren’t in full compliance with privacy and data protection regulations and laws.

This may sound like doom and gloom, but there’s actually never been a better time to safely adopt cloud services in your organisation. Based on our and our customers’ experience, here are three ideas for safely enabling cloud services while mitigating the risk and magnitude of data breaches and other security threats.

First, discover what cloud apps are in your environment and find out how enterprise-ready they are. This is a big step toward understanding and mitigating risk of a data breach because you know what you’re dealing with and can triage the most important apps first. These important apps may include: 1. Systems of record or business-critical apps, including your salesforce automation, renewal and billing, and salary and performance tracking systems, to name a few; or 2. Apps that contain sensitive data, such as a big data app that you use to crunch medical clinical trial results, a business intelligence app that has your company’s non-public financial information, or a software development app that contains your source code, roadmap, and quality assurance bug queue. Did you know that, in addition to being apps that contain sensitive data, each of these is an example of an app that enables sharing?

Second, beyond discovering apps and understanding their risk, it’s critical to know how those apps are being used and what data are being uploaded to and reside in them. Answering questions such as “Is anyone uploading personally-identifiable health information to the cloud?,” “Is anybody downloading personally-identifiable information to a mobile device?,” and “Who’s sharing sensitive content outside of my organisation?” will give you a significant leg up on the problem. Once you can answer these types of questions, you can address the risk, whether by having a conversation with users or line-of-business owners, granularly blocking activities like sharing outside of the company, or encrypting certain data when they are uploaded to the cloud.

Finally, get support. We have tremendous resources in organisations like the Cloud Security Alliance. Also, reach out to your vendors such as Netskope and our partners. We have a treasure trove of best practices and advice from customers who have experienced similar challenges.

Data breaches are serious business, and if you believe the respondents in this study, the cloud can have a tremendous multiplying effect on them. However, between understanding your cloud app environment and reaching out for a little help from your friends, you can mitigate the cloud risk multiplier for your organisation and take advantage of all of the productivity benefits that the cloud provides.

Page Dividing Line