HIPAA-Compliant BYOD After the Honeymoon Arrow to Content

May 11, 2015 | Leave a Comment

By Nat Kausik, CEO, Bitglass

We met with the head of compliance of a large state healthcare organization last week. They were struggling with achieving HIPAA compliant mobility and shared their experiences and insights with us.

To start, mobile technologies are changing so rapidly that any attempt to install software on the end-point to secure or manage the device is doomed to fail. The organization had purchased and deployed a high-end Mobile Application Management (MAM) solution two years ago. The MAM solution worked great during the honeymoon period after deployment. 100% compliance on 20% of the devices.

Then cracks began to appear. First, the deployment stalled as users beyond the first 20% refused to install the app on their BYO devices. Then, users with the app upgraded their devices and needed help porting the MAM clients at each upgrade. Then, the MAM clients stopped working with certain types of devices. Calendar invites appeared weeks after the meetings were done. Emails were getting dropped. Physicians would have none of that nonsense, and IT was forced to open up ActiveSync direct for all users. Pretty soon, 90% of users were connecting directly their native email clients on BYOD via ActiveSync. So 100% compliance on 10% of devices plus 0% compliance on 90% meant a net 10% compliance. And physicians had the most non-compliant BYO devices, dealt with most PHI.

The same story plays out at even the largest healthcare organizations. Indeed, following the above meeting we met with the newly minted Chief Data Officer at a very large healthcare organization with over a 100K employees. Same story. MobileIron MDM for all users. But after the honeymoon ended, physicians get to connect any device direct. And so did any other user who figured out that ActiveSync direct was open.

How do you maintain HIPAA compliance on any device after the honeymoon? Bitglass, of course.

 

The Top 10 Cloud Services in Government That Don’t Encrypt Data at Rest Arrow to Content

May 7, 2015 | Leave a Comment

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh Networks

Sensitive data in the cloud is more widespread than you may think. Analyzing cloud usage for 15 million users, Skyhigh found that 22% of documents uploaded to file sharing services contained sensitive data such as personally identifiable information (PII), protected health information (PHI), or payment information. Far from being an isolated problem, 37% of file sharing users have uploaded sensitive data at some point. For public sector organizations, the stakes are higher due to unique regulatory requirements, but all organizations struggle with visibility into the thousands of cloud services available and wide variance in security controls amongst them.

A recent study found that two-thirds of US Federal government agencies failed to meet a June 2014 deadline to follow FedRAMP cloud security guidelines. FedRAMP is just one way of assessing the security of cloud providers. Skyhigh assesses cloud providers across over 50 attributes of enterprise readiness including those found in the Cloud Security Alliance Cloud Controls Matrix. Of the 10,000+ cloud services in use today, just 9.4% meet the strict security and data privacy standards required to achieve the highest rating of “enterprise-ready” by Skyhigh’s CloudTrust Program.

However, in the last 12 months an increasing number of cloud services offer more robust security features and certifications. 1,459 services (17%) provide multi-factor authentication, as opposed to 705 last year; 533 (5%) are ISO 27001 certified, as opposed to 188 last year; and 1082 (11%) encrypt data at rest, as opposed to 470 last year. The last statistic shows just how much room there is for improvement. Security analysts say that information encryption is one of the best measures to protect organizations from a wide range of data leakage issues:

  • If an attacker compromises the data, they will not be able to read it without the encryption keys
  • Encryption removes the breach notification requirements for regulations like HIPAA
  • Encrypting data can help satisfy cross-border data privacy requirements when data is stored in the cloud
  • When organizations maintain control of their encryption keys, encryption prevents the cloud provider from viewing the information

Despite the benefits of encryption, some of the biggest names in cloud computing do not encrypt data stored at rest in their cloud services today.

blog image - government encryption list 600

Based on data from Skyhigh’s Service Intelligence Team, the top cloud services used in government that don’t encrypt data at rest includes three email providers: Gmail, Hotmail, and AOL Mail. Some of the services found in the top 10 like Paypal can be used to store payment card numbers and bank account information. Another service that doesn’t encrypt data stored at rest is eBay, which suffered one of the biggest data breaches of 2014 when 145 million account credentials were stolen.

While all of the above services would be considered “personal” vs. “enterprise/government”, there have been highly publicized examples of shadow IT use in even the highest levels of government. This list of wildly popular services that don’t encrypt data serves as a timely reminder of the potential risks of going around IT when employed by a government organization or agency.

For a complete look at trends shaping government cloud usage including the top services in use in government overall, fastest growing apps, and the gap between cloud services organizations intend to block and actual block rates, download the Cloud Adoption & Risk in Government Report.

 

Cloud Security Alliance Releases Candidate Mapping of FedRAMP Security Controls Arrow to Content

May 5, 2015 | Leave a Comment

By the CSA Research Team

Today at the Cloud Security Alliance Federal Summit being held in Washington, DC, the CSA today announced the release of the Candidate Mapping V4 of the FedRAMP security controls to version 3.0.1 of the CSA Cloud Controls Matrix (CCM).

The FedRAMP controls are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53r4 which defines 17 families of Security and Privacy Controls to be used by Federal agencies. The CSA CCM provides a control framework that is aligned to the Cloud Security Alliance guidance in 13 security domains and builds on the foundations of other industry-accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, Jericho Forum, NERC CIP as well as NIST.

“In closely mapping the two security controls, Federal agencies can now better assess a cloud provider’s security controls and also address what controls need to be in place to ensure the provider is compliant with FedRAMP standards,” said Jim Reavis, CEO of the CSA. “The mapping will also help reduce the burden of getting the assessments and certifications for cloud vendors wanting to serve the Federal agencies.”

The Candidate Mapping shows that 90% of the FedRAMP controls correlate to the controls defined in the CCM. The documentation of this alignment will support a variety of constituents in the Federal cloud marketplace:

  • Cloud Service Providers (CSPs) will be provided with guidance on how their security frameworks can be developed and documented to address the requirements of multiple assessment standards, reducing the level of effort associated with obtaining multiple security certifications;
  • Assessors and auditors will be able to use the alignment to leverage documentation and artifacts to enable them to assess CSP security postures across multiple standards in an efficient manner
  • Federal agencies will be able to evaluate CSPs who have been assessed and certified against the CCM under the CSA Security Trust and Assurance Registry (STAR) program in order to determine the likelihood of a CSP to qualify for FedRAMP certification
  • The FedRAMP Program will be able to leverage the various industry standards that are integrated into the CCM framework to further the alignment of FedRAMP controls with other industry standards.

CSA will continue to collaborate with the FedRAMP Program Office to determine the best ways to leverage the Candidate Mapping to support the goals and objectives of the FedRAMP program to improve the security of cloud services utilized by Federal government agencies.

To access the mapping visit https://cloudsecurityalliance.org/download/fedramp-cloud-controls-matrix-v3-0-1-candidate-mapping/

3 Things Startups Need to Know to Move to the Cloud Arrow to Content

May 5, 2015 | Leave a Comment

By Shellye Archambeau, CEO, MetricStream

Shellye_Headshot 2014Despite concerns around data security, businesses are optimistic about the cloud. In fact, software-as-a-service adoption has more than quintupled from 13 percent in 2011 to 72 percent in 2014, according to a cloud computing survey conducted by North Bridge Venture Partners and Gigaom Research.

For startups, the cloud has always been a great equalizer, enabling nascent businesses to compete on par with their larger, more established counterparts. In a Rackspace survey on the economic impact of the cloud, a quarter of small and medium enterprises indicated that they had increased profits by at least 25 percent, and up to 75 percent, as a result of cloud computing. What’s more, 84 percent of companies were able to increase their investment back into the business by up to 50 percent, and 34 percent saved between $7,500 and $45,000 on IT spend—all because of cloud computing.

Lower upfront costs, greater flexibility, and scalability—these are just a few reasons why your startup might be excited about jumping onto the cloud bandwagon. Before you do, here are a few things to think about:

1. Public, Private, or Hybrid Cloud?
Deciding what kind of cloud model to adopt will depend on various factors, such as the mission criticality of your applications and data, regulatory compliance obligations, and the scope of your IT budget.

Most businesses that are just starting out find great value in opting for public clouds, where the core infrastructure is shared by many organizations and hosted by a third party. The perks are many—easy access to computing resources and relatively low costs due to a pay-as-you-go model.

However, the public cloud comes with its own concerns around data security and performance slowdowns. So, if you’re in a highly regulated or sensitive industry such as banking and financial services, healthcare, or online retail, it might be wise to consider a private cloud.

Or better yet, you might opt for a hybrid cloud model which combines the best of both public and private clouds. RightScale’s 2015 State of the Cloud Report indicated that 82 percent of enterprises today have a hybrid cloud strategy, up from 74 percent in 2014.

With the hybrid cloud model, you get to keep confidential customer and financial information and high performance applications on the private cloud, while using the public cloud for less mission-critical operations, like e-mails and data backup.

2. Know Which Services and Applications to Move to the Cloud
According to RightScale’s report, 68 percent of enterprises run less than 20 percent of their applications on the cloud. However, 55 percent of enterprises also reported that a significant portion of their application portfolio is built using cloud-friendly architecture, and is therefore able and ready to be moved to the cloud.

When it comes to cloud workloads, the RightScale report revealed that 38 percent of enterprises run all or most development and testing on the cloud, while 34 percent run all or most websites on the cloud, and 30 percent run all or most Web applications on the cloud.

My advice for startups is to begin your cloud journey with applications that don’t require very low latency or high performance and availability. Once you get a feel for how these apps function in the cloud, you can move your core databases in there.

Generally, most services can be easily migrated to the cloud, including e-mail, messaging, file sharing and backup, as well as accounts, expense reporting, and customer relationship management. However, if you have any critical applications or transaction-intensive systems where the risk of network outages or downtime could seriously hamper your business, you will want to consider this carefully.

So, do the research, and make informed decisions about how the cloud can help your business. Also, don’t neglect to plan a cloud exit strategy. If, for whatever reason, you no longer want to depend on a particular cloud service provider, you need to be able to get your data back as effectively and cost-efficiently as possible.

3. Balance the Rewards and Risks of the Cloud
For startups, the cloud equals low capital expenditure—you don’t have to buy servers, or hire dedicated IT personnel. You can use as much or as little capacity as you need, and you can deploy and scale quickly. One of our customers, Zurich Insurance, discovered the benefits of the cloud when they were able to implement and derive value from the MetricStream Vendor Risk Management App over the MetricStream GRC cloud in just 12 weeks.

The other bonus of the cloud is better collaboration—in today’s global, mobile, social world, the cloud makes it easier to communicate and exchange information with teams and customers across different time zones.

Startups have a lot of options when it comes to the cloud. Cloud service giants like AmazonGoogle, and Rackspace offer a number of incentives including free cloud credit, technical training, and support for new businesses who are looking to get started on the cloud.

Yet, as with everything else, there are risks associated with the cloud—primarily around data security. The good news is that most major cloud service providers have extremely sophisticated security mechanisms built into their offerings, which are much better than what most startups could afford to invest in themselves.

There are things that startups can and must do in order to protect their data and assets in the cloud. Remember, make cloud security a top business priority. Check the credentials and certifications of your cloud service provider. Also, evaluate their security measures against established frameworks such as the Cloud Controls Matrix from Cloud Security Alliance (CSA).

Then, assess your security risks, and prioritize your assets and data accordingly. Establish risk tolerance levels—particularly when using public clouds with multi-tenancy models. For each cloud application, identify potential threats, and define a detection and incident response plan. Also, ensure that there are controls in place to comply with data security laws such as PCI DSS, HIPAA, GLBA, and relevant state regulations.

Conclusion
With attractive incentives, as well as strong security measures, the cloud is becoming an increasingly hospitable environment for startups to get their business up and running. The key is to find a cloud model that suits your unique business needs. Identify which services and applications will work best for you on the cloud. Most importantly, be risk-aware—when you know and understand your risks in the cloud, you can better protect your business, while reaping all the benefits that the cloud has to offer.

(Originally published in Xconomy

Shellye Archambeau is CEO of MetricStream, a Palo Alto, CA-based company offering governance, risk, compliance, and quality management solutions to enterprises in the pharmaceutical, medical device, high tech manufacturing, energy, financial services, healthcare, manufacturing, food and beverage, and automotive industries.

CLOUD SECURITY: HOW CAN GRC HELP? Arrow to Content

May 1, 2015 | Leave a Comment

By Vibhav Agarwal, Senior Manager of Product Marketing, MetricStream

VibhavAn integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.

One of my favorite Dilbert cartoons shows Mordac, the “Preventer of Information Service,” saying, “cloud computing is no good because strangers would have access to our data.” Dilbert tries to explain encryption technology is trustworthy—certainly more trustworthy than Mordac himself. The grain of truth here is that, within any organization, there are still mixed responses to cloud computing.

Today, enterprises are adopting cloud computing in a big way. According to CIO.com, the National Association of State CIOs (NASCIO) recently surveyed its members and reported cloud adoption is the second biggest priority for CIOs, only after cybersecurity. But CIOs today are still choosy about what data they want to place in the cloud. The majority have asserted that they do NOT want to put confidential company financial data or credit card data in the cloud. Makes sense—personal information data leaks are terrible PR.

Simply stated, the perception of cloud computing at most companies is mixed. Those advocating for the cloud speak to its improved agility, flexibility, high performance and lowered costs. Those who are still on the fence are concerned about data security, decentralization of their IT team, service reliability and the loss of control over their IT ecosystem. Both sides of the debate have valid points.

10 Key Imperatives
To increase acceptance and adoption of cloud computing at your organization, there are 10 must-haves that can be sub-divided into two groups – infrastructure imperatives and information security imperatives. The first set is the infrastructure imperatives, which affect the cloud-hosting environment:

  1. Federated identity management & access control– The cloud-based system must permit several users at a time, with differing levels of access to ensure proper segregation of duties.
  2. Centralized control and visibility over the IT landscape– The IT manager should have the capability to monitor and manage the system from a centralized console.
  3. Dynamic failover protection & data replication– The system should guarantee 99.5 percent reliability as a minimum.
  4. Automated application performance management– For a uniform user experience, the system should ensure performance as per the service-level agreement (SLA).
  5. Network segmentation– The ability to segment and segregate the networks, across various customers, will ensure minimal propagation of any cybersecurity issue. Given the proliferation of cybersecurity threats and vulnerabilities, the remaining five are information security imperatives that apply to both hosted and otherwise.
  6. Continuous threat and vulnerability assessments– Data center security needs to be assessed regularly to ensure adherence to latest information and network security standards.
  7. Security upgrades and monitoring on demand– Monitor security posture and ensure that regular updates are being provided as per the latest set of cyber-threats.
  8. Meta-data driven information security– Analysis of meta-data being generated across the security and system logs will identify significant, potentially malicious, patterns.
  9. Continuous control monitoring of policies– It is vital to have continuous monitoring and adherence to security, access and other policies across the cloud.
  10. Virtualized security & perimeter controls– The security and perimeter controls need to percolate to the virtualized machine level.

How can we achieve these imperatives across cloud-based deployments?
The enterprise needs to implement a robust governance-risk management-compliance (GRC) framework across the complete cloud infrastructure, which can act as a the single source of truth across all regulatory compliances, security and access controls as well risk and vulnerability assessments.

Wish list for a GRC Framework

Basic Components
First, let’s look at the “bare minimum” requirements for a GRC framework for cloud computing:

  • Continuous system monitoring– Feed regular system related logs and reports into the GRC framework for continuous risk assessments.
  • Penetration Testing audits– Audit the third-party penetration test results, findings and remediations on a pre-determined schedule.
  • Incident response management– Create and manage a defined workflow within the organization to ensure a coordinated response from various departments such as IT, Legal, Finance, etc. and respond appropriately to any cloud security events.
  • Data portability testing– Perform a yearly or quarterly audit and document the process and audit findings to ensure that the data is portable across data centers.
  • Disaster recovery & business continuity– Ensure that proper disaster recovery and business continuity measures are in place along with regular tests and documentation.
  • Onsite & offsite backup audits– Audit backups to check for their ability to restore data.

Advanced Components
Once the must-haves have been checked off, here is a list of “nice to haves”:

  • Data encryption audits– Audit and document the storage control and key management procedures for encrypted data. This is typically applicable for sensitive data only.
  • Forensics log management and reporting– Analyze meta-data continuously generated by system and security logs, and identifying any adverse patterns.
  • Elasticity & load tolerance testing– Ensure that resources can be augmented in the peak performance periods by performing regular load tolerance and elastic demand management testing.
  • Advanced cyber-attack prevention measures– Monitor and implement cyber attack prevention measures pro-actively by integrating with new threat and vulnerability solutions.
  • Advanced cloud security analytics– Establish an advanced cloud security analytics information center as part of the GRC dashboard and centralize its monitoring and management.

Apart from the components listed above, as the cloud computing world evolves, there is an increasing number of regulations and checklists coming up to ensure its adherence to established standards, including SSAE16 SOC 2 controls, FedRAMP certification, HIPAA regulation and Cloud Security Alliance (CSA). Your organization’s GRC framework for cloud should be able to streamline the audit and checklist-based assessments around these and ensure proper adherence to world-class standards for cloud adoption and security.

Conclusion
An integrated GRC approach to cloud acceptance, adoption and scale includes the risk perspective from the beginning. Harnessing the power of cloud security with a GRC framework can promote and improve information security practices and drive better business performance.

 

 

White-Hat Malware Arrow to Content

April 29, 2015 | Leave a Comment

By Chris Hines, Product Marketing Manager, Bitglass

white-hat-malwareAs many of you know, we recently released the results of the first ever data tracking experiment in the Dark Web. In the “Where’s Your Data?“ experiment, we used our patent-pending watermarking technology to embed invisible trackers within an excel spreadsheet of 1,568 fakes names, SSNs and credit card numbers. We then placed this spreadsheet in 8 locations within the Dark Web, and tracked where it travelled to and how fast it could spread. 12 days, 1,100 clicks, 47 downloads, 22 countries and 5 continents later we had our answer.

In speaking with a few attendees at the RSA conference, it became clear that some folks viewed the experiment as malware (a typical response from some of security’s more apprehensive bunch). A typical question was, “so you essentially used malware against them?”

I thought it was pretty funny, laughing as I explained more about the experiment to them, because they did have a fair point. If you really think about it, the watermark can be considered “malware-esque.” In actuality, it’s a tool built to provide enterprises with visibility into where corporate data is travelling, so that they can act accordingly. Embedding hidden sprinkles within documents, and then extracting data as a result of it (in this case user, device type, location, time) does strike an uncanny resemblance though. I guess you can call it white-hat hacking.

Today’s security world reminds me of the classic fantasy tales, where it seems like the bad guys always have the better gear (think Star Wars, Lord of The Rings, Fast and the Furious 7). Way cooler, way faster, way stronger, but the good guys always prevail. This watermark technology helps even the playing field a bit, giving the good guys a pretty badass weapon to fight back against the hackers and cyber criminals.

And you know what? The industry deserves this. Too long have companies feared moving to the cloud. Too long have breaches gone unnoticed, affecting millions of customers in the process. It’s not fair to the people whose data has been lost. Today 53% of breaches are the result of malware. It’s about time we start shrinking that number considerably.

As securers our job is to be a modern day blacksmith, forging technology that enterprises can use to protect themselves from the crooks. Happy to be working for a company that gets that.

 

Banking on the Cloud: How to Enable File Sharing in Financial Services Arrow to Content

April 27, 2015 | Leave a Comment

By Chau Mai, Sr. Product Marketing Manager, Skyhigh Networks

Skyscraper FinServ blogAccording to Gartner, CISOs face a “double-edged sword” as they are tasked with combating the growth of shadow IT while enabling secure access to approved cloud services. Cloud file sharing and collaboration services can be an area of risk as industries must remain vigilant about protecting their IP, ensuring regulatory compliance, and meeting data residency requirements. Today, we’ll take a look at cloud file sharing and collaboration for one industry in particular, Financial Services, which is subject to regulatory requirements including GLB, PCI DSS, and state and national privacy laws.


What specific challenges do Financial Services firms face?
Whether you’re a bank, an insurance company, or an investment advisory firm, sending your confidential information up to a cloud file sharing services comes with a unique set of concerns:

  1. External collaboration governance, i.e. control over how sensitive files shared outside the company
  2. Compromised accounts and data theft from insiders
  3. Content and compliance, i.e. ensuring that sensitive files that are subject to compliance do not leak out of the organization
  4. BYOX and content proliferation, i.e. the rise of mobile and the growth in content being accessed from anywhere and from any device

Across all cloud service categories, file sharing accounts for 39% of all company data that’s uploaded to the cloud – and the average company uses 49 such services. Among file sharing users, 34% have uploaded sensitive information to one of these services, information that includes personally identifiable information (PII), payment card information, or other sensitive data that financial services firms own. What’s more, 21% of documents uploaded to file-sharing services contain sensitive or confidential data – not a trivial amount. Lastly, the sharing of information is occurring outside the company itself. Skyhigh found that 18% of external collaboration requests actually went to third-party email addresses (e.g. Gmail, Hotmail, and Yahoo! Mail). File sharing enables collaboration, which is a good thing, but when sharing is extended to un-verified personal accounts it can create risk for the organization.

How can firms safeguard themselves?
Fortunately, there are a host of cloud file-sharing providers who are dedicated to ensuring that your data is safely housed within them. Box, for example, provides security features to help you configure permissions and privileges, set custom security policies, and track activity that occurs in Box.  They are one of the rare cloud file sharing and collaboration providers that do all three of the following:  provide granular access controls, encrypt data at rest, and support multi-factor authentication.

Looking at the market as a whole, we see that only a fraction of cloud file sharing providers provide these key security features:

  • Provide granular access controls – 53%
  • Encrypt data at rest – 36%
  • Use encryption strength 256-bit or higher – 22%
  • Support multi-factor authentication – 16%
  • Penetration testing performed by the cloud service provider – 36%
  • Compliance certifications (such as ISO 27001, SOC2, etc) earned by the cloud service provider – 64%

When we compare all file-sharing services against those providers who specifically have an Enterprise offering, the differences are even more telling. The data shows that a higher percentage of providers with an Enterprise file sharing offer support for all of the security features mentioned above (for example, 46% support encryption at rest, vs. 36% for all cloud file sharing services). Improvements were found in other areas as well; for example, the percentage who supported anonymous use – which is seen as adding risk – dropped from 18% to 6%. From these data points, we can see that companies who sell to large enterprise have an interest in fulfilling the more stringent security and compliance requirements that those customers want.

In addition to the cloud providers themselves, end-users play a key role. We know that most employees who use cloud file sharing services are well-meaning users who simply need to be educated on what’s appropriate and what’s not. (My previous post outlines how just-in-time coaching can reduce your firm’s use of high-risk by 65%).

Gartner’s guidance
Gartner suggests that companies with stringent security and compliance requirements consider a Cloud Access Security Broker (CASB) to augment the native security capabilities of cloud file sharing and collaboration services.  According to Gartner, a CASB should provide visibility, threat detection, compliance, and data security capabilities. If you’d like to learn more, Gartner has published a set of recommendations for organizations interested in mitigating the risks of moving to file-sharing services while reaping the benefits.

Compromised Accounts and Cloud Activity Arrow to Content

April 23, 2015 | Leave a Comment

By Krishna Narayanaswamy, Founder and Chief Scientist, Netskope

2015-04-Netskope-comp-credentialsLast week, we released our Netskope Cloud Report for this quarter – global as well as Europe, Middle East and Africa versions.

This report builds on our January Netskope Cloud Report in which we highlighted research on compromised user accounts. In it, we estimated based on our research that 15 percent of enterprise users have had their credentials stolen in a prior data breach. This quarter, we report that that number is 13.6 percent over the report’s time period. We also correlate that data with the active usage data in our cloud. When you marry activity-level security analytics with data on compromised accounts, the risk picture becomes significantly more clear.

Among the more interesting findings from the report is that 23.6 percent of logins to Customer Relationship Management apps are by users who have had their account credentials (personal or corporate) compromised in a prior major data breach. While many IT and security organizations ensure that these important corporate apps are monitored and secured with an identity management solution, it’s an important reminder that users re-use logins and passwords across multiple accounts. It’s also important to note that for every one of these types of corporate apps, there can be dozens of ecosystem apps connected to it. So even if an app is well-secured, what about the apps that integrate with it?

Another key finding is that 70 percent of data uploads by users with compromised accounts are to apps that are rated “poor,” as compared with 30 percent for an average user. Monitoring cloud activity at the intersection of compromised users and risky apps goes a long way toward understanding security threats related to cloud apps – uploads to risky apps could signal data exfiltration, downloads could be malware, excessive activity could be a hijacked account. Looking at these pockets of activity can help you suss problems out quickly.

These are just a couple of examples to show the importance of understanding not just how many users with compromised accounts you have in your environment, but also how those users are interacting with your cloud apps and business-critical data.

 

 

The Cloud Economy: 11 Essential Trends About How Companies Connect to Each Other Via the Cloud Arrow to Content

April 21, 2015 | Leave a Comment

By Kamal Shah, VP, Products and Marketing at Skyhigh Networks

cloud economy imageThe cloud is having a measurable impact on business – IT departments are migrating to cloud services in order to take advantage of faster time-to-market, reduced operational costs, and reduced IT spending and maintenance costs. In addition, employees are rapidly adopting cloud services to help them do their jobs with greater mobility. Productivity is soaring, and this interconnectivity has given rise to a new economy: the cloud economy.

The seventh installment of our quarterly Cloud Adoption and Risk (CAR) Report presents a hard data-based analysis of enterprise cloud usage. With cloud usage data from over 17 million enterprise employees spanning all major verticals, this report is the industry’s most comprehensive and authoritative source of information on how employees are using cloud services. And, this latest edition expands its scope to include the risk to enterprises from business partners connected through the cloud.

You can download the full report here. In addition to popular recurring features such as the Top 20 Enterprise Cloud Services and the Ten Fastest-Growing Applications, the latest report contains several eye-opening findings including the extent of cyber risk from partner connections. View the slideshow below for more highlights from the report.

The Cloud Economy: 11 Essential Trends About How Companies Connect to Each Other Via the Cloud from Skyhigh Networks Cloud Security Software


8% of Partners Are High-Risk, but Receive 30% of Data
A number of attributes can classify a partner as high-risk, including being affected by malware of botnets, having compromised identities for sale on the darknet, suffering from a breach, or being exposed to vulnerabilities such as POODLE. High-risk partners receive 30% of all data shared with partners — a disproportionately large amount.

58 “Super Partners” Are Connected to Over 50% of Enterprises
Many partners are well connected among the largest organizations, meaning a vulnerability within a single partner could have far-reaching consequences. The risk of these super partners is higher than overall rate, with 12.5% considered high-risk. Top super partners include pest control, IT services, software, equipment manufacturing, hospitality, and consulting companies.

One Partner Has Over 9,000 Compromised Identities and 200 Devices with Malware
The report gives the risk attributes for several example partners. One airline had 9,716 credentials for sale on the darknet and 209 devices infected with malware. A financial services technology provider had 1,216 compromised identities across 19 darknet sites. An advertising agency had 1,565 compromised identities for sale across 29 darknet sites. All three partners are still vulnerable to POODLE.

Enablers of the Cloud Economy
Certain cloud services stand out as hyper-connectors, enabling the most partner connections. The top cloud connectors in the customer support category are Zendesk, Salesforce, and GrooveHQ. For file sharing, Sharefile, Box, and Wiredrive are the top connectors. In the collaboration category, the top connectors are Cisco WebEx, Slack, and Office 365.

Highest Risk Partner Categories
Not all partner categories are equal when it comes to risk. Telecommunications companies had the highest percentage of high-risk businesses, at 30% — double the rate of the tenth highest-risk category, Travel. Security teams should pay special attention to interactions with partners falling into the categories on this list.

The Cloud Guide to RSA Arrow to Content

April 10, 2015 | Leave a Comment

By Sam Bleiberg, Communications Associate, SkyHigh Networks

Evening_Crossing_Bay_Bridge_San_Francisco_CaliforniaSan Francisco hosts more than its share of conferences and festivals, and residents know the best way to maximize your time at events is to go in with a plan. With that in mind, we created a Skyhigh guide to RSA. Planning your agenda from the laundry list of speaking sessions is overwhelming. The guide specifically highlights sessions on cloud security from a host of industry voices including analysts, enterprise practitioners, board members, and the founder of the Cloud Security Alliance. (Not signed up for RSA? Get in free with this code.)

Security Technologies
From Nonexistent to Gartner’s #1 Security Technology in Three Years: What’s a CASB?
Gartner analysts Neil MacDonald and Peter Firstbrook first called attention to the cloud access security broker (CASB) category in May of 2012. Two years later, Gartner named CASB the number one security technology for 2014. Cloud’s transformational power in the enterprise has driven the need for this layer of security, with features including visibility into shadow IT, data governance, and encryption. Learn why progressive organizations including Cisco, HP, Western Union, and Zurich Insurance rely on this tool within their security portfolios. Panel participants include some of the top names in enterprise security, as well as MacDonald himself as moderator.

Beware the Cloudpocolypse: A Panel on Security from Cloud Providers
While enterprise-ready cloud providers can be more secure than on-premise storage, the propagation of consumer cloud services in the enterprise and the lack of visibility into cloud use are leading down the path to a “cloudpocolypse.” With Cloud Security Alliance founder Jim Reavis moderating, this session should provide an excellent high-level introduction to the risk posed by line of business cloud adoption. Specifically, there should be an interesting debate on which security responsibilities reside with the cloud provider, security provider, and enterprise.

Cloud Threats to the Enterprise
Addressing the Cloud Security Challenge: A Practitioner’s Experience
Jim Routh, CISO at Aetna, is not only a forward-thinking security leader, he’s also an excellent speaker, and his talk at the Cloud Security Alliance Summit at RSA promises valuable insights from the practitioner’s perspective. Routh has taken a proactive approach to cloud visibility and security, making a point to cut the sensationalism out of security to focus on data-driven decisions.

Victims DON’T Have Their Heads in the Clouds: An Insider Threat Case Study
While Snowden made insider threat a top of mind issue for every security team, the reality is that small-scale insider threat incidents frequently fly under the radar. Cloud offers a dangerous vector for insider threat because organizations lack control for sanctioned and unsanctioned cloud services. Only 17% of companies reported an insider threat incident at their organization in the past year, but 85% of companies had cloud usage activity strongly indicative of insider threat. We highlighted six particularly nefarious tales of insider threat in the cloud; this panel should provide practitioners with useful tips for preventing cloud insider threat.

Something Awesome on Cloud and Containers
It’s a good rule of thumb to tune in whenever Rich Mogull talks cloud security. While the description is ambiguous, this talk featuring the Securosis founder is mandatory for those paying attention to the cutting edge of cloud security.

Six Degrees of Kevin Bacon: Securing the Security Supply Chain
The average organization connects with 1,555 partners through the cloud, with 30% of data shared going to high-risk partners. Despite being the source of high-profile breaches at organizations like Target, risk from the partner environment is underrepresented in security industry conversations. In the case of Target, a heating and cooling vendor served as the entry point for attackers. This session covers a key security vector – one that may lead to future breaches if not properly addressed. Review our Q1 Cloud Adoption and Risk Report for key risk metrics from partner cloud connections.

Catered to the C-Level
Inside the Boardroom: How Boards Manage Cybersecurity and Risk
Cloud use and security have risen hand in hand, from lines of business, to the IT department, to the CIO and CISO. In 2014, security finally arrived in the boardroom with multiple CEOs losing their jobs in response to data breaches. This panel offers multiple perspectives, including those of a board member and a CISO.

Security Metrics That Your Board Actually Cares About!
Further to the topic, Australia Post CISO Troy Braban will share tips from his experience on selecting security metrics that resonate with the board. With Australia’s strict data residency regulations, Braban’s perspective should have great insights for security practitioners at global organizations.

 

 

 

 

Page Dividing Line