eBook: The DeÞnitive Guide to CLOUD SECURITY · The DeÞnitive Guide to Cloud Security ... study by the Cloud Security Alliance ... 12 How do I track and log all user and admin actions

The Definitive Guide to Cloud Security

CLOUD SECURITYThe Definitive Guide toeBook:

Brought to you byBrought to you by

Chapter 1: Introduction – Cloud Adoption and Risk Today

Chapter 2: Cloud Visibility

Chapter 3: Cloud Compliance

Chapter 4: Cloud Threat Prevention

Chapter 5: Cloud Data Security

Chapter 6: Shadow IT

Chapter 7: CRM

Chapter 8: File-Sharing and Collaboration

Chapter 9: What is a CASB?

Chapter 10: Quantifying the Value of a Cloud Access Security Broker

Chapter 11: Conclusion - Parting guidance on evaluating CASB vendors

Page 1

Page 4

Page 7

Page 11

Page 16

Page 21

Page 25

Page 28

Page 33

Page 36

Page 39

Table of Contents

The cloud (SaaS, PaaS, and IaaS) is transforming business for the better, making employees more productive and businesses more agile. As the cloud market matures, analysts and market researchers are discovering hard data supporting the benefits of the cloud for enterprises. The latest numbers from Vanson Bourne Research show that the cloud is providing organizations with a 21% reduction in product time to market, a 17% reduction in IT maintenance costs, a 15% reduction in IT spend, and an 18% increase in employee productivity.1 With these types of metrics in hand it’s no surprise that 60% of CIOs state that the cloud is their #1 priority this year.2

However, this enthusiasm for cloud adoption is tempered by security, compliance, and governance concerns. IDC shows that security and privacy remain the top inhibitors of cloud adoption.3 Given the seemingly endless supply of headlines on data breaches, it’s understandable, if not expected, that security of data in the cloud is now a board-level concern for 61% of organizations, according to a recent study by the Cloud Security Alliance (CSA).

Introduction – Cloud Adoption and Risk TodayCHAPTER 1

KEY STAT: 60% OF CIOS STATE THAT THE CLOUD IS THEIR #1 PRIORITY THIS YEAR

PAGE 1 | CHAPTER 1 | INTRODUCTION – CLOUD ADOPTION AND RISK TODAY

1 http://venturebeat.com/2012/08/07/google-cfo-cloud-study/

2 http://www.businessinsider.com/infographic-its-not-easy-to-be-a-cio-2012-2#!HqX9i

3 http://www.opendatacenteralliance.org/docs/1264.pdf

Skyhigh Network Cloud Adoption and Risk Report: Q4 2014


The phenomenon of employees’ self-enabled cloud services (cloud services procured and managed outside of IT’s purview), often referred to as “Shadow IT”, complicates the situation for IT and IT Security teams. Even if organizations are taking a deliberate approach to cloud and adopting cloud services strategically while implementing the required security, compliance, and governance controls around them, employees are likely not acting with the same consideration when they sign up for new cloud services on their own. In fact, with up to 90% of cloud activity driven by individuals and small teams, the average company now uses 897 cloud services, up 43% over the last year.4

Vanson Bourne Research

60% of CIOs state that the cloud is their #1 priority this year.

4 http://venturebeat.com/2012/08/07/google-cfo-cloud-study/


With cloud adoption at an all time high and damaging headlines catalyzing conversations around data security, enterprise IT is looking for ways to partner with the business to manage the move to the cloud. Increasingly, these enterprises are turning to analyst and industry thought leaders to help them navigate this new security landscape.

Neil MacDonald, Craig Lawson, Peter Firstbrook, and Sid Deshpande of Gartner have been particularly adept in providing the market with a usable framework for managing cloud security. Their framework organizes around four pillars of functionality: Visibility, Compliance, Threat Prevention, and Data Security. In this eBook we will dive into the details of each pillar, providing relevant and related data points for consideration, and describe how forward-leaning IT teams are managing cloud security today using this framework.

Gartner

In 2015, roughly 10% of overall IT security enterprise capabilities will be delivered as a cloud service.

PAGE 4 | CHAPTER 2 | CLOUD VISIBILITY

Cloud services are incredibly easy to adopt, with most requiring only an email or a credit card to sign up. The result is that individual users and business units often begin using cloud services without any involvement from IT. The benefit is that users and business units are able to readily and rapidly adopt services that drive productivity and agility for the business. The downside is that IT often has little to no visibility into the full scope of IT services employees are using. Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud.

With regards to visibility, Gartner says that enterprises must protect their sensitive data for various commercial and legal reasons. Regardless of whether the cloud services in use are shadow IT or sanctioned IT, businesses need visibility into which services employees are using, what data is stored in them and shared from them, any anomalies in usage behavior that indicate a compromised account, and who is using each service and from which devices and geographies.

Enterprises must also ensure that they don’t cross a “perceived ethical of legal privacy boundary” when monitoring the use of cloud services. Fore example, the same methods that can be used to monitor sanctioned cloud services, could also be used to monitor personal Facebook or Instagram accounts. Requirements for privacy may vary greatly in different verticals and geographies.

Cloud VisibilityCHAPTER 2

KEY STAT: 72% OF COMPANIES DON’T KNOW THE SCOPE OF SHADOW IT AT THEIR ORGANIZATION BUT WANT TO KNOW


Enterprises must also integrate their cloud visibility into existing systems, such as SIEMS for continuous monitoring and event management.5

The average employee uses 27 different cloud services6 at work, including six collaboration services, four social media services, and three file-sharing services. Many of the services used in the office are consumer grade services and security is not a given, so understanding which services employees are using, what type of data is uploaded to and shared through the services, and what security capabilities the services have is a must.


Cloud Security Alliance

30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects.

5 Mind The SaaS Security Gaps: G00263947. Craig Lawson, Sid Deshpande. 2014

6 Q4 2015 CARR

1Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)?

7 Which services house sensitive or confidential data today?

2 Which services are gaining in popularity and should be evaluated for enterprise-wide adoption?

8 What are the security capabilities of the services storing sensitive data?

3 What is the risk-level of each service in use? 9Which data is available to external collaborators outside of the company?

4How effective are my firewalls and proxies at identifying cloud services and enforcing acceptable cloud use policies? 10 Which partners’ cloud services are employees accessing

and what’s the risk of these partners?

5Which redundant services are employees using, and are they introducing additional cost and risk and inhibiting collaboration?

11 Which external collaborators are granted access to our company’s services?

6 How do I quantify the risk from the use of cloud services and compare it to peers in my industry?

12 How do I track and log all user and admin actions for compliance and investigations?

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD VISIBILITY:


PAGE 7 | CHAPTER 3 | CLOUD COMPLIANCE

Today’s enterprises have deployed cloud services to support CRM, ERP, HR, Collaboration, and Backup operations. Applications like Salesforce, ServiceNow, Workday, Box, and Office 365, support mission-critical business functions, and because of this they often house sensitive or confidential information, such as customer data, financial data, employee data, IP, or security infrastructure data. Locating this type of data in the cloud is not a rare event; in fact it is now commonplace.

For example, 22% of files uploaded to file-sharing services contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; and PHI (protected health information) such as medical record number or health plan beneficiary number.

Furthermore, 37% of employees uploaded at least one file to a file-sharing cloud service that contained sensitive or confidential data over the course of a business quarter.7 In order to drive compliance, IT leaders are looking for ways to identify enterprise-ready cloud services that support various use cases, locate where sensitive data is housed, audit how sensitive data is handled, and protect sensitive data from loss. With regards to compliance, Gartner says that compliance will always be a core security deliverable.

Cloud ComplianceCHAPTER 3

KEY STAT: 37% OF EMPLOYEES UPLOADED AT LEAST ONE FILE TO A FILE-SHARING CLOUD SERVICE THAT CONTAINED SENSITIVE OR CONFIDENTIAL DATA LAST QUARTER


They indicate that, with regards to SaaS applications, compliance-supporting activities should cover:

• Answering the who, what, when, why and where questions with provable data for various compliance regimes.

• Providing assistance with out-of-the box compliance reporting for major compliance standards.

• Auditing user behavior across cloud applications, regardless of the device (e.g. PC or mobile) or method of access (e.g. browser or mobile app).

• Enabling integration within the enterprise by supporting log generation that can be used with existing SIEMs.

• Guiding the organization to specific cloud services that satisfy both functional requirements of the users and the compliance and risk requirements of the business. This is especially important given the thousands of options available in the cloud today.8



Gartner

Compliance will always be a core security deliverable.


As Gartner references, there are over 10,000 cloud applications today, all with varying degrees of security, compliance, and governance capabilities. Despite this diversity of offerings, companies across industries must ensure compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other regulations. In order to do so they must ensure the protection of various types of personal information, including:

While the cloud provider is responsible for the security of their product, compliance is based on a shared responsibility model, whereby the enterprise using the cloud service must also take measures to maintain the privacy of employee and customer data. Within the enterprise, users, IT/Security, and Audit/Compliance all share responsibility for compliance.

• Names

• Address

• Birthdate

• Telephone or fax number

• Email address

• Social security number

• Medical record number

• Health plan number

• Bank account numbers

• Professional certificate or license number

• License plate number

• URLs or IP address

• Finger and voice prints

• Full face photographs

• Any unique identifying number


80% or cloud governance committees include IT Security.


1 Which applications house sensitive data subject to regulatory compliance?

6 Which administrators have behavioral anomalies that indicate excessive privilege access?

2 What are the security capabilities of the services housing sensitive data?

7 When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)?

3 What are the legal terms of the services housing sensitive data?

8 How do we leverage previous resource investments and extend existing on-premises data loss prevention policies to the cloud?

4 Which employees are accessing sensitive data, and how are they using or sharing it?

9 How do we implement a closed workflow to review, remediate compliance violations, and educate violators?

5 Which employees are uploading sensitive data to high-risk services?

10 Is sensitive data kept in a specific country or region to comply with international data residency requirements?

KEY QUESTIONS IT SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD COMPLIANCE:


PAGE 11 | CHAPTER 4 | CLOUD THREAT PREVENTION

Cloud services, like on-premises systems, can be the target of attacks aimed at stealing corporate data or damaging the business. Attacks typically leverage the cloud in one of two ways: they use cloud services as sources of sensitive data to steal, or they use cloud services to exfiltrate stolen data.

Some enterprise-ready cloud services have security capabilities that exceed those of the enterprise data center, but that does not necessarily protect them from insider threats or compromised identities. In fact, compromised identities and insider threat are the two main drivers of the first threat vector (cloud services as the source of data to steal), and they are far more common than most IT professionals realize.

Cloud Threat PreventionCHAPTER 4

KEY STAT: 17% OF COMPANIES REPORTED AN INSIDER THREAT LAST YEAR, BUT 85% OF COMPANIES EXPERIENCED ONE

According to the Cloud Security Alliance, 17% of companies reported an insider threat last year, but in fact 85% of companies experienced one.9 This discrepancy exists because so many attacks go under the radar today. Further, 92% of companies have at least one corporate cloud service login credential available for sale on the Dark Net today.10




30% of IT Security teams list concerns over compromised accounts and insider threats as a top challenge holding back cloud projects.

9 Skyhigh Networks Cloud Adoption and Risk Report: Q3 2014

10 Skyhigh Networkss Cloud Adoption and Risk Report: Q4 2014


In order to prevent against insider threats, organizations can employ machine learning to identify anomalous behavior that indicates a threat in progress. Triggers are often large or repeated downloads of sensitive data or excessive privileged user access. Insider threats could be aimed at stealing enterprise data from the cloud, such as IP from a file sharing service or security infrastructure from an IT management service, but the most common insider threat seems to be the theft of customer sales data from CRM services, perpetrated by sales reps or sales operations managers who plan to leave the company. Additionally, malware attacks are also now targeting cloud services. Last year’s much publicized Dyre malware would monitor browser activity to steal credentials for cloud services that housed valuable corporate data.

Attackers also increasingly look upon cloud services as a clever way to exfiltrate data under the radar. With the average company using almost nine hundred cloud services today and IT often not having visibility into their usage, attackers know that unmanaged cloud services can be a fertile territory for malicious behavior and frequently use popular and seemingly harmless services to execute their operations. For example, malware employed by a foreign national government recently used YouTube to exfiltrate stolen intellectual property. The attackers created VAR segments, inserted the stolen data into mpg4 files, and then uploaded them onto YouTube. The videos would play within YouTube, but once downloaded the VAR segments could be unpacked providing the attackers with the stolen data. In another startling example, malware leveraged a Twitter account to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets. While these attacks are almost amusingly clever, they serve as a serious reminder that threat prevention must be a core focus of any cloud security project.


31% of companies are “not sure” if they experienced an insider threat incident last year.


With regards to threat detection, Gartner says that, in on-premises applications that were protected by network/host security and access management, Security could control all application access from authorized users from defined locations while also inspecting for malicious content, regardless of the network channel or protocol. However, in today’s Internet Age, with billions of users accessing the Internet via browsers, enterprise cloud applications are now accessible to anyone with an internet connection. Because of this fundamental change, new controls are required in order to protect enterprise data. Particularly, new controls are needed for cloud service to manage events such as:

• Access from known suspicious countries, locations, devices, locations, or unusual access times or data volumes.

• Access from compromised cloud service accounts.

• Access from canceled accounts or from accounts that have remained idle for excessive periods of time.

• Access directly to cloud services that bypasses security controls.

• Access via outdated operating systems or browsers that are no longer supported and are thus more vulnerable to attacks.11

Malware leveraged Twitter to exfiltrate stolen data, 140 characters at a time, over a sequence of 86,000 tweets.


1 What does normal behavior for any given service look like? 6 Which cloud services have behavior anomalies that

indicate insider threat?

2 How does a user’s role affect their normal cloud service usage patterns? 7 Which cloud services have behavioral anomalies that

indicate malware at work?

3 How do I monitor and baseline usage across the enterprise for both local and remote employees? 8

Which cloud services have behavioral anomalies that indicate an account is compromised?

4 Which users are accessing large volumes of sensitive data? 9 Which cloud services in use are rated as high-risk and

have an anonymous use policy?

5 Which administrators are accessing large volumes of sensitive data?

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD THREAT DETECTION:


As many a CIO and CISO will tell you - IT Security, today, is all about protecting data, not data centers – and this is largely product of cloud. When considering data security it can be helpful to examine both the security of the service the data lives in and the security of the devices that have access to the data.

Some cloud services have security capabilities that far-exceed most corporate data centers. However, with over 10,000 cloud services available today, there is a large variation in the security capabilities offered. The good news is that an increasing number of cloud services are investing in security, but a larger number still do not offer even basic security features. Only 17% of cloud services provide multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt data at rest. For this reason, it is important to look at the risk of services individually and enable risk-based policies on acceptable usage.12

In services with high levels of built in security, users and their devices can often be the weakest link. Users frequently lose devices or leave them in insecure locations and are prone to lose passwords as well. 12% of employees have at least one corporate identity (username and password) for a cloud service that has been compromised for sale on the Dark Net (online black markets) today.13

Cloud Data SecurityCHAPTER 5

KEY STAT: ONLY 17% OF CLOUD SERVICES PROVIDE MULTI-FACTOR AUTHENTICATION, ONLY 5% ARE ISO 27001 CERTIFIED, AND ONLY 11% ENCRYPT DATA AT REST.

PAGE 16 | CHAPTER 5 | CLOUD DATA SECURITY

12, 13 Skyhigh Networks Cloud Adoption and Risk Report: Q4 2014


A study by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re- used in multiple places. The implication here is that, for 31% of compromised identities, an attacker could not only gain access to all the data in that cloud service, but potentially all the data in the other cloud services in use by that person as well. Considering that the average person uses three different cloud file-sharing services, and 37% of users upload sensitive data to cloud file-sharing services, the impact of one compromised account can be immense.



Enterprises can improve the security of their data by employing access control policies for cloud services that take into account the context of the user, data, device, and location. For example, an executive may be able to view and download important financial data to her laptop when in the office, but may be restricted to viewing only when on her mobile device in a foreign country.

Additionally, enterprises can take extra steps to ensure the security of their data by employing encryption and tokenization and controlling their own keys. Encryption can be tricky, and several considerations must be made when evaluating encryption options.

First, enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia-reviewed to ensure that they are up to modern cryptographic standards.

Second, enterprises must also verify that the algorithms used can support the required functionality of their application since there is a trade-off between the security of an algorithms and the functionality that it can support. To better understand the specific tradeoffs, read The Cloud Encryption Handbook: Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to maximize data security, enterprises must own their own encryption keys. By taking ownership of their keys, they prevent a malicious insider at a cloud service or an inquiring government agency from gaining access to their data.

Enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia-reviewed to ensure that they are up to modern cryptographic standards.


With regards, to data security, Gartner says that data is mission-critical to the enterprise and that securing that data is the primary goal of any IT Security organization. Therefore, if the enterprise is moving its data into cloud services, IT Security must:

• Ensure that sensitive data is encrypted using known good algorithms or tokenized before entering the cloud service via a configurable data security policy.

• Ensure that robust authentication procedures are defined and enforced, including central credential store usage, certificates, and multi-factor authentication.

• Support encryption key management via a hardware security module (HSM).

• Ensure that only the authorized users and groups have access to enterprise data

• Prevent data from being lost within cloud services when the owner is de-provisioned.

• Ensure functionality within cloud services is maintained when data within those services is encrypted or tokenized so that the value of the services can be fully realized.

• Ensure that data loss prevention and e-discovery are available for cloud services, just as they are for on-premises systems today.14


73% of IT Security teams list security of their data in the cloud as a top challenge holding back cloud projects.


1 Which cloud services encrypt data at rest and provide multi-factor authentication? 6 How do we encrypt data while maintaining required

functionality within cloud services?

2 What are the compliance certifications of the services employees are using? 7 How do we encrypt data while controlling our own

encryption keys?

3 Which of our cloud services undergo regular penetration testing? 8 How do we employ tokenization to ensure data

privacy in addition to security?

4 Which of our cloud services has been compromised in the last week, month, year? 9 How do we enforce access policies based on user,

device, and location?

5 Which data should be encrypted in which cloud services?

KEY QUESTIONS SECURITY SHOULD BE ABLE TO ANSWER RELATED TO CLOUD DATA SECURITY:


Shadow IT refers to information technology that is managed outside of, and without the knowledge of, the IT department. At one time Shadow IT was limited to unapproved Excel macros and boxes of software employees purchased at office supply stores. It has grown exponentially in recent years, with advisory firm CEB estimating that 40% of all IT spending at a company occurs outside the IT department.15

This rapid growth is partly driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools, but it’s also increasingly driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more competitive and employees more productive.

When employees and departments deploy SaaS applications, it can also reduce the burden on IT help desks to take calls according. However, while IT is no longer responsible for the physical infrastructure or even managing the application, it’s still responsible for ensuring security and compliance for the corporate data employees upload to cloud services. Instead of seeing Shadow IT as a threat, Ralph Loura, CIO of HP Enterprise, sees it as an opportunity to leverage employees to identify the applications they want to use so that IT can enable the ones that have gained traction and are enterprise-ready.

Shadow ITCHAPTER 6

KEY STAT: THE AVERAGE EMPLOYEE USES 27 DIFFERENT CLOUD SERVICES. ON AVERAGE, IT IS AWARE OF 3 OF THEM.

PAGE 21 | CHAPTER 6 | SHADOW IT

15 http://www.forbes.com/sites/tomgroenfeldt/2013/12/02/40-percent-of-it-spending-is-outside-cio-control/


According to Loura, “We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins.” Promoting low risk services that have reached a tipping point starts with understanding what cloud services employees use, how they use them, and their associated risk.


Ralph Loura,CIO Enterprise Group,HP

We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users.


When IT examines the use of cloud services across the organization, they generally find Shadow IT is 10 times more prevalent than they initially assumed, with the average organization today using 897 different cloud services.16 Often IT departments discover many services in use that they have never heard of before. After auditing the risk of each service and its security controls, IT teams can make informed choices about what services to promote or enable. This is more than just an exercise in risk management. The average company uses nearly 30 different file sharing services, and using this many different services can impede collaboration between employees. Standardizing on enterprise licenses for 2-3 services not only improves collaboration, but also reduces cost. Below are key questions related to shadow IT that IT Security should be able to answer:

VISIBILITY• Which users and business units are using

which cloud services, and what is the risk of each of the services in use?

• How effective are my firewalls and proxies at enforcing my cloud security policies?

COMPLIANCE• Where is sensitive data being stored

today, and what certifications do services storing sensitive data have?

• Which data loss prevention policies for which services do I need to implement to ensure compliance with industry regulations moving forward?

THREAT DETECTION• Are there behavioral anomalies that

indicate an insider threat?

• Are there behavioral anomalies that indicate a security breach from malware or a compromised identity?

DATA SECURITY• Which data in which services can users

access from various devices?

• Do I need to encrypt or tokenize data to protect confidential or sensitive information?

Q2 Cloud Adoption and Risk Report

Last quarter the average company uploaded 86.5 GB to high-risk cloud services.


1 Log-based visibility into all users, services (SaaS, PaaS, IaaS), and data transfers 11 Ability to leverage policies from on-premises DLP

systems and extend them to cloud services

2 On-premises tokenization of log data for security and privacy 12 Ability to quantify cloud risk, compare it to benchmarks

from peers in the industry, and track it over time

3 Comprehensive cloud registry covering a minimum of 10,000 cloud services 13 Anomaly detection across all services to identify

insider threats or security breaches

4 Detailed risk assessments provided for all cloud services 14 Ability to identify unmatched uploads for further

investigations

5 Usage analytics to identify redundant services and popular and growing services primed for enterprise adoption 15 Integration with SIEMS for incident response remediation

6 Ability to audit the effectiveness of firewall and proxies at enforcing policies 16 Dark Net intelligence to identify stolen credentials

of employees

7 Closed-loop remediation with firewalls and proxies 17 User reputation analysis based on correlated activities across cloud services

8 Ability to coach employees using integration with firewalls and proxies 18 Function-preserving encryption for data security

9 Customizable reporting with automatic periodic reporting capabilities 19 Frictionless deployment that doesn’t impact end users

10 Vertical-specific, pre-built DLP policy templates

19 KEY REQUIREMENTS FOR ENABLING SECURE SHADOW IT USAGE:


Customer Relationship Management (CRM) platforms, such as Salesforce, provide business-critical functionality for Sales, Sales Operations, Customer Service, and Marketing. In order to support these business units, CRM services frequently contain sensitive or confidential customer information including PII, financial data, or PHI.

While popular CRM platforms, such as Salesforce, have industry-leading security capabilities, organizations must ensure that their valuable data is protected and that the use of their CRM service is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.

CRMCHAPTER 7

KEY STAT: 4% OF FIELDS IN CRM APPLICATIONS CONTAIN SENSITIVE OR CONFIDENTIAL FINANCIAL DATA, PII, OR PHI

PAGE 25 | CHAPTER 7 | CRM


Enterprises must not rely solely on the security capabilities of the CRM service itself, as users may not always be using cloud products in ways that meet your security, compliance, and governance requirements. For example, users may be storing sensitive data such as payment card data and protected health data in Salesforce as part of their normal workflow outside of policy, putting the organization at risk of compliance violations. Or, consider the example of a salesperson that downloads all the company’s opportunities before leaving to join a competitor. Below are key questions related to CRM services that IT Security should be able to answer:

VISIBILITY• How many instances of Salesforce, or

other CRM applications, are we running?

• Which users and groups are using which products, and where is sensitive data stored?

COMPLIANCE• Which types of sensitive data are

uploaded into our CRM service in customer fields or comments sections and where is it being stored?

• Are we in compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?

THREAT DETECTION• Are there behavior anomalies, such as a

salesperson downloading more data than usual, that indicate an insider threat?

• Are there behavioral anomalies, such as a salesperson logging in from Boston and Bangkok within the same hour, that indicate a compromised identity?

DATA SECURITY• Which devices and geographies are

employees accessing CRM services from?

• How can I encrypt or tokenize data while maintaining important functionalities like search, sort and order?

Gartner

CRM is expected to grow to a $36.5 billion market worldwide within the next three years.

1 Usage analytics across all CRM services for both individuals and business units 10 Academia and peer-reviewed encryption schemes

2 Ability to identify redundant CRM services and coach users over to standardized services 11

Ability to substitute sensitive data with randomly generated tokens (tokenization) to keep data on-premises and satisfy data residency requirements

3 Ability to identify all third-party applications accessing CRM services and their data 12 Ability to manage encryption keys via integration with

key management servers supporting the KMIP protocol

4Detailed activity monitoring of all user, admin, and third-party application activities including uploads, downloads, views, edits, and deletes

13 Behavioral modeling of normal user and admin activity within the CRM services

5 Ability to identify sensitive data subject to compliance requirements or security policies 14

Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat

6 Ability to enforce Enforces DLP policies and support several actions, including alerting and blocking. 15 Integration with SIEMS for incident response remediation

7Ability to extend existing DLP policies from on-premises systems and provide integration and closed-loop remediation

16 Integration with SAML v2 compatible single sign-on services

8Ability to encrypt structured and unstructured data with standards-based AES or function-preserving encryption using enterprise-owned encryption keys

17 Ability to deploy in the cloud, on-premises as a virtual appliance, or in a hybrid architecture

9 Ability to apply encryption while preserving end-user functions such as search, sort, and format.

17 KEY REQUIREMENTS FOR ENABLING SECURE AND COMPLIANT CRM USAGE:


File-sharing and collaboration services like 0365, Box, Dropbox, Google Drive, and Jive are incredibly popular. The average company uses 27 file-sharing services and 45 collaboration services today, which may actually impede collaboration.17 The security controls of file-sharing and collaboration services can vary widely, so organizations must also evaluate the services to understand the risk they present to the organization. Some services claim ownership of your data, don’t encrypt data at rest, or permit anonymous use, making them unsuited for enterprise use.

File-Sharing and CollaborationCHAPTER 8

KEY STAT: 22% OF FILES UPLOADED TO FILE-SHARING CLOUD SERVICES CONTAIN SENSITIVE OR CONFIDENTIAL DATA, INCLUDING PII, PAYMENT INFORMATION OR PHI

PAGE 28 | CHAPTER 8 | FILE-SHARING AND COLLABORATION



In addition to the security risk, companies must evaluate the compliance risk as well. 22% of files uploaded to file-sharing cloud service contain sensitive or confidential data, including: PII (personally identifiable information) such as social security number, date of birth, or address; payment information, such as credit card numbers or bank account numbers; or PHI (protected health information) such as medical record number or health plan beneficiary number. Organizations must ensure that their valuable data is protected and that the use of file-sharing and collaboration services is in compliance with industry regulations such as PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.


Q4 2014 Cloud Adoption and Risk Report

The average company uses 27 different file sharing services, inhibiting collaboration and creating risk.



Additionally, many cloud services offer more than just file syncing across devices; they’re platforms for collaborating with other people. No matter how secure a cloud provider is, end users can always use their service in risky ways. Naturally, users share files with other people at their companies, but files are also frequently shared via public links, which can be accessed by anyone without restriction.

Files are frequently shared via public links, which can be accessed by anyone without restriction.


In fact, 11% of all documents shared via file-sharing services were shared outside the company. The majority of these external collaborators turned out to be business partners, but 18% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.18 Organizations must ensure that their governance policies, dictating who has access to services and their data, are enforced. Below are key questions related to file-sharing and collaboration that IT Security should be able to answer:

VISIBILITY• How many file-sharing and collaboration

services are we using, and what is the risk of each?

• Which types of sensitive data are uploaded into our file-sharing and collaborations services and where is it being stored?

COMPLIANCE• Are we in compliance with PCI DSS,

HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and international data residency requirements?

• Which data loss prevention policies for which services do I need to implement to ensure compliance with industry regulations moving forward?

• Are our cloud DLP policies perfectly aligned with the DLP policies we enforce on-premises?

THREAT DETECTION• Are there behavioral anomalies,

such as excessive downloads of confidential information, that indicate an insider threat?

• Are there behavioral anomalies, such as repeated logins from an unusual geography, that indicate a compromised identity?

DATA SECURITY• Which devices and geographies are

employees accessing file-sharing and collaboration services from?

• How do we see what data is shared publicly now, and how do we restrict collaboration to verified business email accounts?

Q4 Cloud Adoption and Risk Report

18% of external collaboration requests went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail.


1 Usage analytics across all file-sharing and collaboration services for both individuals and business units 10

Ability to leverage behavioral models and machine learning to identify usage anomalies indicative of compromised accounts or insider threat

2Ability to identify redundant file-sharing and collaboration services and coach users over to standardized low-risk services

11 Integration with SIEMS for incident response remediation

3 Ability to identify all third party application accessing file-sharing and collaboration services and their data 12 Ability to identify all externally shared data and view

sharing permission details

4Detailed activity monitoring of all user, admin, and third-party application activities including uploads, downloads, views, edits, and deletes

13 Ability to enforce external sharing policies based on domain whitelist/blacklist and content

5 Ability to identify sensitive data subject to compliance requirements or security policies 14 Ability to coach users on acceptable use when in violation

of security, compliance, and governance policies

6Ability to enforce DLP policies and support several actions, including alerting, blocking, tombstoning, and quarantining.

15 Integration with SAML v2 compatible single sign-on services

7 Out-of-the-box DLP templates for all major verticals and regulations to help identify sensitive content. 16 Ability to encrypt data with peer- and academia-reviewed

encryption schemes

8Ability to extend existing DLP policies from on-premises systems and provide integration and closed-loop remediation

17 Ability to manage encryption keys via integration with key management servers supporting the KMIP protocol

9 Behavioral modeling of normal user and admin activity within the file-sharing and collaboration services 18 Ability to deploy in the cloud, on-premises as a virtual

appliance, or in a hybrid architecture

18 KEY REQUIREMENTS FOR ENABLING SECURE AND COMPLIANT FILE-SHARING AND COLLABORATION USAGE:


With cloud adoption accelerating every year, enterprise IT is looking for ways to partner with the business to enable secure utilization of the cloud. Increasingly, these enterprises are turning to a new breed of technology, referred to by Gartner as “Cloud Access Security Brokers” (CASB), in order to do this.

Gartner analysts Neil MacDonald and Peter Firstbrook first defined the Cloud Access Security Broker category in May 2012 in their report “The Growing Importance of Cloud Security Brokers,” G00233292. Other firms, such as Forrester, Securosis, and 451 Research have defined similar categories, alternatively referring to the technology as Cloud Security Gateways and Cloud Access Controllers. Since then, Gartner has elevated the importance of CASB and now lists it as #1 in the top ten technologies for information security.19

What is a CASB?CHAPTER 9

KEY STAT: NINETY PERCENT OF SAAS ADOPTERS EXPECT SAAS TO CONSTITUTE MORE THAN 50% OF THEIR SPENDING ON ENTERPRISE APPLICATIONS BY 2018, CREATING SIGNIFICANT NEED FOR CASB PROVIDERS. (GARTNER)

PAGE 33 | CHAPTER 9 | WHAT IS A CASB?

19 http://www.information-age.com/technology/security/123458169/gartners-top-10-security-technologies-2014


Cloud Access Security Brokers are on-premises or cloud-hosted software that acts as a control point to secure cloud services. They generally offer a range of capabilities including visibility, encryption, auditing, data loss prevention (DLP), access control, and anomaly detection. While cloud providers individually offer some of these capabilities, many organizations are looking for consistent policy enforcement across cloud providers. Given the limited resources to operationalize a new security process with existing resources, these capabilities should ideally be delivered as part of a single solution, offering one control point.

In determining whether your organization needs a CASB, Gartner provides several questions, shared below. If the answer to one or more of the questions is “no”, Gartner recommends that your organization considers investing in a CASB.

Cloud access security brokers (CASBs) are on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

Gartner

1 Can I identify all of the cloud services employees are using and assess the risk of each service? 6 Which devices and locations are users accessing

cloud services from?

2 Can I identify which cloud services are housing sensitive corporate data, and how much data is in each service? 7

Can I enforce contextual access policies to prevent specific devices, geographies, or IP addresses from accessing enterprise cloud services?

3 Can I identify which users are sharing data, what data they are sharing, and with whom? 8

Can I proactively recommend enterprise-ready cloud services to employees or business units in need of specific capabilities or categories of cloud services?

4 Does the data being shared contain sensitive information such as PII, PHI, or financial data? 9 Can I detect compromised cloud service accounts

and prevent malicious behavior?

5 Can I enforce encryption, tokenization, or redaction to protect sensitive data? 10

Can I offer specific security capabilities such as encryption or data loss prevention for cloud services that don’t have those capabilities built in?

10 KEY QUESTIONS FROM GARTNER TO DETERMINE IF YOUR ORGANIZATION NEEDS A CASB, FROM “MIND THE SAAS SECURITY GAPS”:


A common element of all Cloud Access Security Brokers is they interject security controls by brokering access to a cloud service. This enables IT to securely enable the use of cloud services within their organizations without compromising compliance or security. By bundling security functions with a single enforcement point, CASBs also reduce the complexity of securing data in the cloud.


A Cloud Access Security Broker can provide value across two axes: cost savings and risk reduction. Within cost saving there are 6 primary areas of cost reduction:

Quantifying the Value of a Cloud Access Security Broker

CHAPTER 10

KEY STAT: ORGANIZATIONS USING SKYHIGH TO MANAGE BOTH SHADOW IT AND SANCTIONED IT SAVED AN AVERAGE OF $1.5M PER YEAR IN IT COSTS AND REDUCED THE VOLUME OF DATA SENT TO HIGH-RISK SERVICES BY 97%

1. Reduction in manual efforts required to analyze log data for cloud visibility

2. Streamlined security assessments for cloud services

3. Elimination of unapproved IaaS usage

4. Subscription consolidation

5. Elimination of orphaned subscriptions

6. Accelerated response to breaches and vulnerabilities

PAGE 36 | CHAPTER 10 | QUANTIFYING THE VALUE OF A CLOUD ACCESS SECURITY BROKER


$219,200

$276,000

$186,250

$266,000 $36,800

$530,001 $1,514,251Average Reported Savings in

Each Savings Category

Average expected cost savings across ten customers, broken

down by savings category

Quantifying the value of a Cloud Access Security Broker

Below is a chart depicting the average hard-dollar cost savings across these six categories. Summing the savings, we see that the average organization saved $1,514,251 annually by managing their shadow IT and sanctioned IT usage with Skyhigh, a leading cloud access security broker.21

21 Quantifying the Value of a Cloud Access Security Broker. Skyhigh Networks. 2014


In addition to cost savings, cloud access security brokers can also mitigate risk in the enterprise. Risk mitigation from the use of a CASB is typically comprised by the following four factors:

Below is a table quantifying some of the risk reduction metrics achieved by companies that implemented Skyhigh to manage their cloud adoption and risk. Summarizing the key findings, we see that organizations increased their use of low-risk cloud services by 83%, decreased their use of high-risk services by 50%, and decreased the volume of data sent to high-risk file-sharing services by 97%. In total, organizations that managed their Shadow IT and Sanctioned IT with Skyhigh’s CASB reduced their overall cloud risk score by 59%.22

1. Reduction in data lost due to the use of high-risk services

2. Reduction in data lost due to security breaches

3. Reduction in data lost due to insider threats

4. Reduction in risk of a compliance violation

How 200 Organizations Flipped Shadow IT from Concern to Opportunity

Organizations using a CASB decreased the volume of data sent to high-risk file-sharing services by 97%.

Attribute Before After Improvement

High-Risk Service %

Monthly Data Sent to High-Risk Services

High-Risk File Sharing Services

Monthly Data Sent to High-Risk File Sharing Services

Active Tracking Services

Low-Risk Service %

Enterprise CloudRisk Score

16%

31GB

6

16GB

32

12%

6.4

8%

6.7GB

1.3

.5GB

4

22%

3.8

50%

79%

78%

97%

87.5%

83%

59%

22 How 200 Enterprises Flipped Shadow IT from Concern to Opportunity. Jim Reavis, Brandon Cook. 2014

When evaluating different CASB vendors, there are several factors IT leaders must consider. In addition to understanding whether the capabilities offered match the business requirements, IT leaders must determine whether the deployment model fits with their organization. For example, organization should consider whether they want their CASB to be cloud-based or if they prefer to manage all of the infrastructure and maintenance of an on-premises solution themselves.

Additionally, organizations should consider whether they are looking for a frictionless approach requiring no agents or if they would prefer a solution that installs agents or PAC files on users’ work and personal devices. Finally, organizations should consider whether the CASB vendor has supported other companies in similar verticals and of similar size.

Many CASB vendors are emerging and have not yet deployed their solution at scale. This may be acceptable to a smaller organization, but this is likely to be an area of concern for a larger enterprise. To get started, Gartner offers a framework for evaluating CASB vendors organized around the types of cloud services the enterprise is aiming to enable. This framework is provided below for your reference:

Conclusion - Parting Guidance on Evaluating CASB Vendors

CHAPTER 11

PAGE 39 | CHAPTER 11 | CONCLUSION - PARTING GUIDANCE ON EVALUATING CASB VENDORS


SHADOW IT:• Ask CASB vendors to generate a cloud visibility report with your data during

the proof-of-value process.

• Analyze the categories and individual cloud services in use, and identify the risk associated with the service and its usage.

• Create a corporate policy about which cloud services to block or to allow, and then determine the depth of security controls and API integrations the CASB vendor can enforce for your permitted cloud services.

• Select only those CASB vendors whose solution fits with your company vision on cloud and mobility.

EXISTING SANCTIONED IT SERVICES:• Analyze the redirection methods offered by various CASB vendors, and

determine if they align with your enterprise’s mobile device policy (i.e. managed devices vs. bring your own device [BYOD]).

• Evaluate only the CASB vendors that are least disruptive to your current environment.

• Evaluate CASB vendors that can extend common security capabilities to multiple cloud services from a single management console.


61% of enterprises say that cloud security is now a board level concern.


If you would like Get a FREE personalized assessment of all cloud services in use by your employees including:

• All IaaS, PaaS, and SaaS cloud in use• An objective rating of enterprise readiness for each service• Potential data leaks, security breaches, and non-compliance• Consolidation opportunities for unused licenses

Please email [email protected].

NEW SANCTIONED IT SERVICES:• Include CASB and identity management products when budgeting for new

cloud services and account for them in enterprise architecture discussions

• Evaluate your current infrastructure architecture program to identify spending that could be re-directed to CASB for use with cloud services that are planned or in use already. This is an architecture change that will be necessary if you plan to move to cloud services in the future.


Documents

eBook: The DeÞnitive Guide to CLOUD SECURITY · The DeÞnitive Guide to Cloud Security ... study by the Cloud Security Alliance ... 12 How do I track and log all user and admin actions