April 10, 2015 | Leave a Comment
By Sam Bleiberg, Communications Associate, SkyHigh Networks
San Francisco hosts more than its share of conferences and festivals, and residents know the best way to maximize your time at events is to go in with a plan. With that in mind, we created a Skyhigh guide to RSA. Planning your agenda from the laundry list of speaking sessions is overwhelming. The guide specifically highlights sessions on cloud security from a host of industry voices including analysts, enterprise practitioners, board members, and the founder of the Cloud Security Alliance. (Not signed up for RSA? Get in free with this code.)
From Nonexistent to Gartner’s #1 Security Technology in Three Years: What’s a CASB?
Gartner analysts Neil MacDonald and Peter Firstbrook first called attention to the cloud access security broker (CASB) category in May of 2012. Two years later, Gartner named CASB the number one security technology for 2014. Cloud’s transformational power in the enterprise has driven the need for this layer of security, with features including visibility into shadow IT, data governance, and encryption. Learn why progressive organizations including Cisco, HP, Western Union, and Zurich Insurance rely on this tool within their security portfolios. Panel participants include some of the top names in enterprise security, as well as MacDonald himself as moderator.
Beware the Cloudpocolypse: A Panel on Security from Cloud Providers
While enterprise-ready cloud providers can be more secure than on-premise storage, the propagation of consumer cloud services in the enterprise and the lack of visibility into cloud use are leading down the path to a “cloudpocolypse.” With Cloud Security Alliance founder Jim Reavis moderating, this session should provide an excellent high-level introduction to the risk posed by line of business cloud adoption. Specifically, there should be an interesting debate on which security responsibilities reside with the cloud provider, security provider, and enterprise.
Cloud Threats to the Enterprise
Addressing the Cloud Security Challenge: A Practitioner’s Experience
Jim Routh, CISO at Aetna, is not only a forward-thinking security leader, he’s also an excellent speaker, and his talk at the Cloud Security Alliance Summit at RSA promises valuable insights from the practitioner’s perspective. Routh has taken a proactive approach to cloud visibility and security, making a point to cut the sensationalism out of security to focus on data-driven decisions.
Victims DON’T Have Their Heads in the Clouds: An Insider Threat Case Study
While Snowden made insider threat a top of mind issue for every security team, the reality is that small-scale insider threat incidents frequently fly under the radar. Cloud offers a dangerous vector for insider threat because organizations lack control for sanctioned and unsanctioned cloud services. Only 17% of companies reported an insider threat incident at their organization in the past year, but 85% of companies had cloud usage activity strongly indicative of insider threat. We highlighted six particularly nefarious tales of insider threat in the cloud; this panel should provide practitioners with useful tips for preventing cloud insider threat.
Something Awesome on Cloud and Containers
It’s a good rule of thumb to tune in whenever Rich Mogull talks cloud security. While the description is ambiguous, this talk featuring the Securosis founder is mandatory for those paying attention to the cutting edge of cloud security.
Six Degrees of Kevin Bacon: Securing the Security Supply Chain
The average organization connects with 1,555 partners through the cloud, with 30% of data shared going to high-risk partners. Despite being the source of high-profile breaches at organizations like Target, risk from the partner environment is underrepresented in security industry conversations. In the case of Target, a heating and cooling vendor served as the entry point for attackers. This session covers a key security vector – one that may lead to future breaches if not properly addressed. Review our Q1 Cloud Adoption and Risk Report for key risk metrics from partner cloud connections.
Catered to the C-Level
Inside the Boardroom: How Boards Manage Cybersecurity and Risk
Cloud use and security have risen hand in hand, from lines of business, to the IT department, to the CIO and CISO. In 2014, security finally arrived in the boardroom with multiple CEOs losing their jobs in response to data breaches. This panel offers multiple perspectives, including those of a board member and a CISO.
Security Metrics That Your Board Actually Cares About!
Further to the topic, Australia Post CISO Troy Braban will share tips from his experience on selecting security metrics that resonate with the board. With Australia’s strict data residency regulations, Braban’s perspective should have great insights for security practitioners at global organizations.
April 7, 2015 | Leave a Comment
By Chris Hines, Product Marketing Manager, Bitglass
When the story first broke about the Morgan Stanley breach, where an ex-employee stole corporate data and pasted it on a file-sharing site called Pastebin, it got us thinking. We all hear about these massive breaches that take place–Target, Home Depot, Sony, Anthem, Premera–but what actually happens to the data after it is stolen? Where does it travel to? How many people see it, and how much damage can it cause?
In an effort to find the answers to these questions, we decided to launch the world’s first data tracking experiment located in the Dark Web. So, what did we do? We created an excel spreadsheet of 1,568 fake employee credentials, then placed it on anonymous file sharing sites within the “Dark Web,” using a Tor browser as our entry point. We tracked the data as it travelled to various sinister locations around the world, and as it was shared amongst cyber-crime syndicates overseas. But how?
Here at Bitglass we have developed the first watermarking security solution on the planet. The patent-pending tracking technology works like this.
- Document travels through Bitglass proxy when downloaded from a cloud or on prem application and down to a mobile device.
- When this occurs, the document is automatically embedded with an invisibe watermark.
- Every time the document is opened, a “ping” is sent to the Bitglass portal displaying: user name, file name, geographic location, IP address and device type.
- Even if a watermarked document is copied and pasted elsewhere, or mutilated in some way, the watermarks still persist.
What we found from this experiment will change the way that our industry views data security today, and shine a light on the need for greater visibility into where sensitive data travels. Especially after a breach.
Who’s keeping tabs on your data?
April 2, 2015 | Leave a Comment
By Stephanie Bailey, Senior Director/Product Marketing, Perspecsys
Despite the clear benefits of the cloud, many enterprises still hesitate to fully adopt or capitalize on all the advantages. There are a few key reasons for hesitation, including the prevalence of data breaches and hacks in recent years, stricter data residency requirements across geographical boundaries and internal restrictions brought about by company policies or industry requirements – and consumers. Each of these causes for delaying full adoption of the cloud is a consideration that requires a deeper look into potential strategies to diminish or remove possible risk to the enterprise.
Rise in Breaches & Hacking
In recent years, reports of data breaches across all types of industries and company size seem to occur on a regular basis. A recent PwC survey found that the number of security incidents detected in 2014 was 42.8 million, equaling an annual increase of 48%, with an average cost of $2.8 million dollars [i]. Of course many breaches go undetected or unreported so that number along with financial losses could be much higher. It’s no wonder that these reports cause some organizations to slow down and reevaluate their move to the cloud.
All of this means enterprises must contend with two separate security issues – external and internal. The external security issue means dealing with the loss of control associated with sending sensitive or regulated data to a 3rd party cloud service provider (CSP) and having to trust that information is processed and stored in a secure and compliant way. The internal issue entails having to figure out how to properly establish and implement the proper security standards to protect data within the corporate firewall, especially focused on challenges such as the rising prevalence of “bring your own device” and mobile computing.
Geographic Residency Requirements
Cloud data privacy laws can vary greatly by country and region. Currently, the European Union, and Germany, in particular, has some of the strictest laws in the world – creating a more restrictive environment for enterprises. Various geographic data residency requirements prevent some enterprises from moving regulated data outside of the borders of the countries in which they operate. Maintaining strict security standards is an especially important issue for countries concerned with the collection of personally identifiable information (PII). Since a CSP may store data, including PII, in any number of data centers worldwide, this prohibits some enterprise from taking advantage of the cloud if they operate within some of these stricter geographic regions.
Internal & Industry Requirements
There are also data privacy concerns driven by internal management and/or defined by external industry guidelines. An enterprise’s list of internal security requirement is often evaluated against published industry standards to ensure that sensitive information is adequately protected. These standards may be legally required by industry, government or again, geographic region. Many industries depend on the collection of PII to conduct daily business operations, serve customers and process payments and receipts and therefore have strict regulations about how and where this data may be stored and shared.
Cloud data privacy issues are also a key concern for individual consumers using an organization’s or business’ cloud application. With the proliferation of the Internet and cloud computing more PII is being shared online, making individuals vulnerable to security risk. Increasingly, savvy individuals want to know that the information being put in the cloud is adequately protected and secured by the organization.
Finally, many B2B enterprises find that their business contracts have specific stipulations associated with how their business customer’s data needs to be treated – especially if it is going to be processed in cloud-based 3rd party systems as part of the contractual service being provided. These contractual relationships can have severe penalties associated with data exposure, so enterprises need to take special steps to mitigate against any security risks.
How to Address These 3 Reasons for Hesitations
There is little doubt that proliferation of business-improving cloud applications will continue to increase in the coming years and provide business advantages to those that adopt. The question becomes how enterprises hesitating now can reevaluate and begin adopting popular cloud applications while adhering to the security demands they must meet. One option enterprises have choose is to forgo public cloud applications and develop a private cloud – a costlier option with less access to leading innovations in most cases. But there are other strategies for adopting popular public cloud applications without forgoing security requirements. It begins with a well architected security plan that includes implementing a strategy such as cloud encryption or tokenization that can protect data before sending it off-site to any public cloud applications.
One emerging strategy is to implement solutions in a technology category known as Cloud Access Security Brokers (CASBs). With CASBs, organizations have a hosted or on-premise control point for all data as it moves to the cloud. Gartner recently published a report that discussed the growing use of CASB to enforce core security policies for data moving to the cloud – stating CASBs “will become an essential component of SaaS deployments by 2017”. [ii] Forrester’s recent Market Overview on Cloud Data Protection Solutions (CDP) went so far as to say, “CDP Solutions Are a Mandatory Security Control.”[iii] This is a fast-paced space that will have a high impact on cloud computing going forward – particularly for those enterprises currently hesitating to fully adopt the cloud now.
March 27, 2015 | Leave a Comment
By Raj Samani, Vice President and CTO, McAfee EMEA
Can we really trust cloud computing? Or perhaps more importantly do you trust the cloud? And does the perceived lack of transparency, combined with recent negative headlines, impact future investments in cloud computing?
In conjunction with the Cloud Security Alliance, we have prepared a survey to gain a better understanding of the perceived trust within cloud computing. Our Cloud Trust survey is intended to tell us about levels of trust and where the fundamental differences lie between certain geographies and organizations (by size).
The reality is that cloud computing plays an integral role in our digital lives and allows all of us to focus on what matters most while outsourcing the work required to deliver our email, host our websites and much else. Gaining an understanding of the emerging security and privacy requirements is important. It gives us a platform that we can trust and rely on, both as consumers and within our work lives.
We therefore really need your help. Please take five minutes to provide your feedback. Let us know your perception of how trustworthy cloud computing is and has been, and more importantly the measures that are required for the future cloud. The survey can be found here.
So far the results make for some really interesting reading, most notably that the cloud is seen as considerably more trustworthy than 12 months ago. We will keep the survey open a little longer and publish a report based on the findings. This will help all of us as an industry introduce the necessary trust within the cloud computing services that we rely on.
March 26, 2015 | Leave a Comment
By Chris Hines, Product Marketing Manager, Bitglass
“As soon as you allow a user to have access to the cloud applications, let’s say it’s a file sharing service, inevitably they want to do it from their own device, from home, from their ipad, from their android device, inevitably this will happen” – Neil MacDonald, Gartner Analyst
Given the abundance of mobile devices, coupled with the productivity and cost reduction benefits they bring, the number of companies that allow employees to access sensitive corporate data from their personally-owned devices has continued to flourish. According to Gartner, by 2017, over half of organizations will actually FORCE users to bring their own device to work.
This proliferation of data that is now moving outside of company networks, down to things like employee-owned smartphones, tablets and laptops can increase the chance of data leaking out and getting into the wrong hands. This is perhaps why BYOD has become a huge pain point for professionals looking to secure mobile devices (I’m sure a lot of you are already cringing at the thought of BYOD security). It also doesn’t help that the employees themselves have a false sense of mobile security savvy.
It turns out that surprise, surprise, smartphone users are making silly and unsafe mistakes when it comes to privacy. A survey of 1,000 smartphone users done by security firm Lookout, found that of those that said they were security savvy –52% admitted to not read privacy policies before downloading mobile apps, 34% didn’t set a PIN or passcode on their phones and 35% downloaded mobile apps from unofficial marketplaces. It’s also important to point out that 76% connect to public wifi networks, increasing the risk of cyber criminals getting their hands on sensitive data coming down to mobile devices.
So, how do you solve for BYOD security?
If you want to secure BYOD devices you should invoke a “managed” vs. “unmanaged” device profile policy within your company. Here is a diagram that demonstrates what a policy like this might look like.
As you can discern from the diagram there are very different contextual access controls, application access and data protection techniques used for managed vs. unmanaged devices. Since “managed” devices pass the contextual access control test they can then access any cloud application they would like, and have full access to all data stored within them. Because of the managed device profile, these pose significantly less risk to your corporate data then “unmanaged” devices.
Unmanaged devices do not pass the contextual access control test, limiting their application access capabilities to sensitive data and increasing the data protection methods used to protect against them. This profile involves controlled acccess. A clear example of this would be forcing unmanaged devices into an encrypted container for all downloads made from cloud apps, and redacting certain keywords before they hit the device.
The managed vs. unmanaged approach to security works because no matter what your security posture may be, it allows for BYOD security while providing the productivity, and cost reduction benefits companies were aiming for to begin with.
Now that you know how to achieve BYOD security, it’s time for you to take a look at your own infrastructure and start building your device profiling strategy. Here’s how to get started
March 23, 2015 | Leave a Comment
If you are in charge of deploying a cloud app or suite like Box, Office 365, or Google Apps in your environment, you need to read this:
We just completed a piece of research here at Netskope on cloud app ecosystems. In it, we highlight an important trend: the rise of cloud apps that orbit large, “anchor tenant” apps like Salesforce or Box.
Here’s how this trend works: Enterprises adopt popular cloud apps like Salesforce. IT is aware of and often manages the deployment, management, and security of the app. As lines of business begin using it, they find lots of different ways to get value. Those use cases often involve third-party services that integrate with the main app (like how Marketo, Zendesk, and DocuSign integrate with Salesforce). Because it’s in Salesforce’s best interest to facilitate this ecosystem (because it makes Salesforce more valuable), Salesforce facilitates developers with rich APIs, documentation, and even sometimes with go-to-market support. Recently Salesforce commented that half of its revenue is attributed to its APIs. That’s a heck of a business!
But what enterprises don’t often realize is that when they sanction an “anchor tenant” app, they are also welcoming dozens of apps that integrate with that app, many of which they don’t know about. And since they don’t know about them, they often don’t realize that those apps are sharing data back and forth with their sanctioned app, which poses risk of data exposure or leakage.
The big finding in our study is the number of apps per major app. We studied four apps, and found that in each of the enterprises in our cloud service, there is an average of 28, 26, 20, and 19 cloud apps for every implementation of Box, Salesforce, Dropbox, and Google Apps, respectively. Even more interesting, when we marry these stats to the data in the Netskope Active Platform, we find that, among other things, 15.3 percent of all downloaded data and 44.4 percent of DLP violations are from the Salesforce ecosystem (exclusive of Salesforce).
Why spend time on this research? Well, there’s a lot of talk in the market about protecting the major apps or sanctioned apps. While organizations rightly put a lot of emphasis on those apps, more controls can be like building a fence around Fort Knox. Instead, they should be paying attention to the myriad of apps that share data with those apps. Those ecosystems are made up of apps that have been sanctioned by the enterprise and several that are unsanctioned.
Here are five things we recommend for getting your arms around cloud app ecosystems:
- Know what apps are running in your organization that integrate with your major apps, including sanctioned and unsanctioned apps;
- Understand the workflows they complete and what data they pull out of (or contribute to) your major apps;
- Secure access to those apps with identity management or SSO;
- Monitor those apps as a group with your major apps. We have the ability to do this with custom app tags in the Netskope product; and
- If you enforce policies (e.g., “don’t share outside of the company” or “don’t download to an unmanaged device if what’s being downloaded contains personally identifiable information,”) in your major apps, extend those policies to your ecosystem apps as well to get the intended security outcome.
If you want to read the report, you can get it here.
March 12, 2015 | Leave a Comment
By Christopher Hines, Product Marketing Manager, Bitglass
The cloud. Companies want it, but can they secure it? Moving to cloud applications like Salesforce, Office 365 and Box, can be beneficial for business but companies must first answer the question of security.
Today we announced the findings from the 2015 Bitglass Cloud Security Report. The report was the result of a survey done with 1,010 IT securers working across the globe.
This report helps provide insight into the level of cloud adoption today, industry trends, top cloud security risks and the cloud security solutions that IT securers are leveraging. So, let’s dig into some of the findings.
Delivering on the hype?….Yes and No
The report confirmed that the hype behind cloud adoption has been proven true. Companies are seeing benefits including increased flexibility, greater availability and low costs since moving to the cloud. Interestingly, when it comes to security and compliance, the results showed that cloud is falling short. In fact, 90% of organizations have security concerns!
Insider threats > outsider cyber hackers
We found that the majority of concerns that companies have are not of malware and hacking from outside entities. Instead, companies are most concerned about their employees and view them as the weakest link in the security chain. Of the 1,010 respondents, 63% said that unauthorized access to sensitive company data was the number one greatest risk to their organization. Hijacking of accounts (61%) and malicious insiders (43%) made up the rest of the top 3 risks to company data.
With the amount of corporate data that is now flowing up into cloud apps and downloaded down to mobile devices, it makes sense why employee represent the greatest risk to organizations. Companies must be able to control the flow of their data.
How companies are approaching security
65% of respondents said that data encryption topped the list of the most effective security technology for data protection. It’s also important to note that due to the proliferation of data that is now moving outside of the firewall, 68% of companies believe that a perimeter-based approach to security is no longer the correct strategy for securing data.
I encourage you to take a deeper look into the data within the report and see what your peers have to say when it comes to our industry’s greatest concern. Securing the cloud.
March 11, 2015 | Leave a Comment
Recent adware has made significant waves in some information security circles for its security vulnerabilities and
for its potential larger impact on one of the essential systems of trust that Internet sites use – the Browser  .
By Jacob Ansari, Manager, Brightline
While users can obtain fixes or removal tools for both Superfish and PrivDog, the issue remains that our browsers can make trust decisions for us that we do not always know about or understand, and to which we may not consent.
This problem isn’t new as public-key infrastructure (PKI) systems (e.g., systems that use digital certificates, which are used to verify the authenticity of websites on the Internet) ultimately rely on a series of ostensibly trustworthy entities not abusing that trust. For users, this often means understanding what root certificates their web browsers trust. These root certificates, issued by organizations called certificate authorities (CAs), digitally sign or verify the authenticity of other certificates that sites on the Internet use to substantiate their identity. Modern browsers come with several root certificates installed, usually from CAs, although users, or the software they install, can modify this repository.
This was the core problem with Superfish. The utility, installed by default on Lenovo laptops, subverted that trust relationship by installing not just a certificate that the browser trusted, but a root certificate which would then re-sign other certificates and allow the holder of that root certificate to decrypt the web traffic to those sites. The ad company intended for this to inject advertisements into browser traffic, even on encrypted sites, but the Superfish phony root certificate would allow an attacker to manipulate any encrypted web traffic and make it appear legitimate. The plot thickened a few days later when researchers and savvy users discovered that an ad blocking and replacement tool called PrivDog did the same thing, although it had the potential to create even more security issues as it would re-sign any certificate, including otherwise invalid or questionable certificates without any verification whatsoever. The situation with PrivDog has a particularly troublesome quality to it in that the developer of this software is the founder and CEO of Comodo, one of the largest CAs in the world; however, it appears that the versions of PrivDog with this particular problem do not appear to come bundled with Comodo security software for users.
Attacks that target this system of trust before exist. An attack in 2011 took place against DigiNotar, a Dutch CA. The attacker or attackers (thought to be agents of the Iranian government trying to spy on dissidents) issued numerous certificates that appeared legitimate. However, they had access to the corresponding private keys, and thus the ability to decrypt any intercepted encrypted traffic authenticated by these fraudulent certificates or any certificates derived from them. In 2012, another CA issued a subordinate root certificate, encased in a specialized hardware device called a hardware security module (HSM), to a third party as a product for monitoring traffic from an organization, ostensibly for preventing company confidential information from leaving. However, in doing so, this yielded the same sort of result as it allowed the device with the root certificate to impersonate any other encrypted site on the Internet in a fashion that most users would not detect.
These developments create significant dangers for safe Internet use in that an attacker who obtains these certificates can potentially manipulate many users into trusting hostile sites. Even without the scenario of a criminal gaining access to root certificates, placing root certificates outside of the most protected and trusted sort of environments tampers with one of the underpinnings of the Internet. The trust that needs to exist will subsequently erode away if users cannot trust that the site they intend to visit is the actually the site in the browser. Adversely affecting website security and authenticity for criminal purposes, or as an act of surveillance, has its own issues, legal, political and otherwise. Doing so merely to serve up advertisements in browsers shows a breathtaking measure of recklessness.
So what do we learn from this?
Primarily we learn that the world is full of organizations that play with fire and adversely affect Internet security for a variety of self-serving reasons. Perhaps this isn’t surprising. Users will need to fully understand how these trust relationships work, so that they can make decisions about what sites to visit and trust from a more informed standpoint. This may be an unrealistic expectation that puts a lot of burden on ordinary people who just want to use the Internet in the ways they always have. Additionally, Certificate Authorities and other intermediaries should undergo more scrutiny in terms of how they manage security of certificates, keys, and the likes. There several audit standards out there to guide CAs from WebTrust for Certification Authorities to the various CA Browser Forum guidelines. More than likely however, the responsibility will fall to the community of security professionals to connect all interested parties out about these sorts of threats and mount effective defenses against them.
 PCWorld.com – CEO says Superfish is safe as US issues alert to remove Superfish from Lenovo PCs
 A Few Thoughts on Cryptographic Engineering
 Lenovo – Superfish Uninstall Instructions
 nakedsecurity.com – Anatomy of a certificate problem – the “PrivDog” software in the spotlight
 Wikipedia – DigiNotar
 Trustwave issued a man-in-the-middle certificate
March 6, 2015 | Leave a Comment
The Average Company Uses 122 FREAK-vulnerable services
By Sekhar Sarukkai, Co-founder and VP of Engineering, Skyhigh Networks
This week a group of researchers at INRA, Microsoft Reseach, and IMDEA discovered a widespread vulnerability in OpenSSL that has rendered millions of Apple and Android devices vulnerable to man-in-the-middle attacks when they visited supposedly secure websites and cloud services. You can read the detailed description of the vulnerability from the discovering researchers here.
The researchers have dubbed this the “FREAK” vulnerability (CVE-2015-0204) or Factoring Attack on RSA-EXPORT Keys, and it enables attackers to force clients to use older, weaker encryption , known as the “export-grade” key or 512-bit RSA keys.
Currently, the media have focused on tracking vulnerable websites and highlighting specific sites, such as the White House, FBI, and NSA that suffered from the vulnerability. As of Wednesday at 12PM PST, 36.7% of browser-trusted sites, 26.3% of Full IPv4, and 9.7% of Alexa’s top 1M domains were vulnerable (Note – this website is not vulnerable). For the latest website vulnerability metrics, check https://freakattack.com/
Naturally, here at Skyhigh we’re most concerned with identifying and tracking vulnerable cloud services and helping enterprises manage their IT Security response and protect their users and data. Below we’ll share the latest data on cloud service vulnerabilities and share the security steps organizations must take to protect themselves. You can read our detailed advice on how to protect corporate cloud data from FREAK here.
First, a little background (why is their “export grade” security anyway?)
In the 1990’s Netscape developed an SSL technology that was widely used to protect credit card transactions using public key cryptography. However, US policy required the creation of an intentionally weakened version of the technology and dictated that a maximum key length of 512 bits would be permitted for “export-grade” encryption.
The idea was that, with 512-bit encryption, the NSA would have the ability to access communications, while theoretically providing crypto that was still good enough for commercial use. And now, despite the fact that these export restrictions have been modified or lifted, “export-grade” cryptography support was never removed, so many devices can be tricked into accepting the lowest “export-grade” encryption, opening them up to man-in-the-middle attacks.
How does the man-in-the-middle attack work?
Mathew Green, a research professor at Johns Hopkins Information Security Institute, has a simply stated (and widely cited) description of how the FREAK-enabled man-in-the-middle attack works:
- In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
- The MITM attacker changes this message to ask for ‘export RSA’.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/Secure Transport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
- From here on out, the attacker sees plain text and can inject anything it wants.
How many cloud services are vulnerable?
Skyhigh’s Service Intelligence Team tracks vulnerabilities and security breaches across thousands of cloud providers, including the FREAK vulnerability. Almost 24 hours after the vulnerability was widely publicized, 766 cloud providers are still not patched, making them vulnerable to attack. These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services.
The average company uses 897 cloud services, making the likelihood they use at least one affected service extremely high. Across over 350 companies using Skyhigh, 99% are using at least one cloud provider that is still not patched and the average company uses 122 vulnerable services. We’ll continue tracking these services, working with customers to diagnose and remediate vulnerabilities and provide updates as cloud services are patched.
Here’s how to eliminate the FREAK vulnerability from your cloud service
In order to close the vulnerability, cloud providers should disable support for export suites. Rather than excluding RSA export cipher suites, administrators should disable support for all known ciphers and enable forward secrecy. Mozilla published a guide here, and a SSL Configuration Generator, which will provide good certifications for common servers.
Here’s how to protect your company from FREAK
Enterprises need to determine and contain both their service-side and client-side exposure. Skyhigh has contacted each of the cloud providers affected and is working with them to ensure they are aware of their vulnerability and perform remediation. We’ve also alerted our customers who use affected services.
There are 4 steps that every company needs to take in response to FREAK:
- Determine your service-side exposure: Skyhigh automatically alerted customers to services they use that are affected by FREAK. If you’d like to identify all the affected services in use at your company for free, email [email protected]. If you’d like to look up an individual service to see if it’s vulnerable, visit: https://tools.keycdn.com/freak
- Contain your client-side exposure: Ensure that only browser versions that are not susceptible (Chrome, or later versions of IE & Firefox for example). If employees use unmanaged BYOD devices, educate them on the current safe browser list at http://www.computerworld.com/article/2892926/time-to-freak-out-how-to-tell-if-youre-vulnerable.html
- Validate proxy configurations: If you manage your enterprise network and your enterprise uses a MITM proxy (like a web proxy) ensure that the configurations are properly set so it does not degrade.
- Ensure any OpenSSL use within enterprise is updated: If not careful, external facing sites may be fixed first and internal sites/development environments never. Ensure that you don’t take your eye off internal deployments, as well.
March 6, 2015 | Leave a Comment
By Todd Partridge, Director of Strategy, Intralinks
This is the first in a 3-part series examining information security in the cloud.
Have you ever leased a safety deposit box from your bank? For years the security and privacy of a safe deposit box has been the standard in the physical world. People have put their most important and their most valued information in bank vaults around the world with the confidence that it would remain secure and kept away from unsolicited parties. Safe deposit boxes provided the extremely high security measures and processes needed to protect these assets at scale.
In essence, the hundreds of customers a bank may have shared the cost of providing that ongoing security and privacy. Today’s SaaS industry is predicated on the same principles: that it is far more cost effective for customers to share the cost of computer power, infrastructure, and application maintenance. The question that often remains is whether or not SaaS providers are capable of providing the same level of confidence that banks have provided for safe deposit boxes.
On the consumer side of the SaaS market, users hear the stories of large enterprises losing priceless intellectual property and they listen to ‘experts’ saying that cryptography could have protected them. To the average user of a cloud service the question becomes, “why not just encrypt the data and be done with it?” Reality becomes even murkier when it is mixed with strong PR campaigns of companies looking to make a name for themselves as they capitalize on the misfortune of these companies that may not have taken the appropriate measures to protect their data in the cloud. In the cloud, customer data faces different threats when at rest, in transit, or in use.
There are important differences to each of these threats and their associated responses that bear further discussion. Here we’ll take on data at rest, but as a backdrop we must not forget that it is the intricate weave of all three that is important.
Data at Rest
Any service hosting customer data must provide assurances that it is protected while in their custody from external hackers, malicious insiders, and as we learned recently, governments. So, data must be encrypted at rest, which is relatively easy to implement. Many players, big and small, may declare that they give their customers full control of the encryption keys, also known as Customer Managed Keys (CMK). As companies begin to realize the importance of owning and managing the encryption keys used to protect their data in the cloud, the important question is – how is that control implemented?
There are several questions that today’s enterprises should consider when evaluating a cloud service provider’s claims of customer managed encryption keys:
- Can the customer login directly to the appliance that houses the keys and suspend the key without provider’s help or knowledge, if needed?
- Is there any provider software in the middle that can be compromised and leak the key?
- Keys need to be rotated. What happens to data at the time of key rotation?
- Does the customer need to wait for re-encryption of terabytes of data with the new key?
Arguably, if the chosen managed keys solution cannot provide these capabilities, it may fall short of many enterprise requirements for secure storage of that company’s most valuable information assets. Businesses need to pay attention to the details of the proposed solution just as you would pay attention to whether or not your bank has the right measures in place to protect those items you place in their safe deposit boxes.
Keeping Data Protected
It is obvious that data protection, especially in a SaaS model, is a complex task where science, engineering, and operations must be aligned perfectly to protect information assets from any number of threats. Just as banks provide a multi-layered security model to protect their customer’s value assets, cloud service providers need to give their customers analogous capabilities such as:
- A container suitable for the storage of a company’s most valuable information
- Customers’ ability to choose the geographic location of said container
- Secured channels of access to the data
- The ability to provide controls that allow no single entity to own or control access to the encryption keys
- The solution should be able to account for all copies of the data
- The solution should provide compliance reports and audit trails that document which users access, or attempt to access, the protected data, as well as when the action took place
In our next two articles in this series on information security in the cloud, we’ll explore the threats and security considerations of protecting data in transit and while in use.
Todd Partridge is the Director of Strategy at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management and enterprise records management practices.