“All roads to the digital future lead through security”, noted Gartner in its Top 10 Strategic Technology Trends for 2015. Following numerous high profile data breaches in 2014, companies have now listed security as a top IT priority. That should not surprise anyone, considering that the average cost of a data breach comes to $3.79 million, according to a study conducted by the Ponemon Institute. This number includes the direct costs to investigate and rectify the problem, but not costs in lost business, which are even higher. These are some of the reasons why data security is now on the radar of many CEOs. Kelly King, CEO, president and chairman of BB&T, who the Information Security Media Group named one the financial industry’s most influential people in Jan 2015, said in an interview “If you don’t know the risk, you can’t develop a strategy to mitigate the risk. And in dealing with cybersecurity, information is critical and timing is everything.” BB&T’s cybersecurity budget has doubled in the last two to three years and is growing on an annualized basis at a very strong, double-digit pace.
TACKLE THE CLOUD FIRST! One of the key reasons why enterprises are vulnerable from an information security standpoint is their cloud adoption. Forrester Research says breached data in the cloud is inevitable and we should brace ourselves for more ugly headlines. Most cloud activities within enterprises happen under the IT radar. Skyhigh publishes a quarterly Cloud Adoption & Risk Report, and in our most recent report we found that the average organization now uses 1,083 cloud services (46.7% higher than this quarter last year) and the IT department is not aware of 90% or more of these. This growing “shadow IT’’ activity is leaving companies increasingly vulnerable in its wake. Even with IT-sanctioned cloud services, differing capabilities of each service make it challenging for companies to impose policies on the cloud. There is also added difficulty in protecting company data against insider threats and compromised identities.
To address the cloud security problem, companies are increasingly turning to Cloud Access Security Brokers (CASB) – the term Gartner uses to define the category of solutions that are placed between cloud service providers and consumers to act as a control point for securing cloud services. CASBs are different from existing security solutions because they help companies gain visibility into cloud usage and inject policy controls. An added strength of cloud-based CASBs is their speed of deployment while leveraging company’s security including firewalls and proxies, SIEMs, mobile device management solutions, encryption key management solutions, and policies in enterprise data loss prevention solutions, in order to extend existing policy controls to data in the cloud.
As companies look to tighten their defenses against a data breach, here are 5 solutions they can implement quickly to minimize risk of data loss.
- Get visibility into your company’s Shadow IT – A large part of the risk to company information comes from shadow IT, which refers to cloud services that help employees get work done, but are not approved for use by the company. A number of these services have questionable security credentials, but IT has no clue they are being used and thus cannot exert any control to prevent loss of company information. A CASB will provide companies with a complete list of all cloud services, including shadow IT services, being used by their employees. Cisco deployed their CASB, Skyhigh, in less than a day and immediately identified dozens of unauthorized cloud services operating on the Cisco networks. “The number of cloud providers we were using was definitely a bit of an eyebrow raiser,” said Desmond Murray, Cisco’s Director of Information Systems. “We knew there would be a good number, but we were surprised by exactly how many showed up.”
- Block high-risk cloud services – After getting visibility into all the unsanctioned cloud services being used in your company, the next step is to identify the risky ones and stop employees from uploading sensitive data into these services. But evaluating security credentials of the cloud services can be a tedious process, especially when there are hundreds or thousands of them. A CASB can help with this because the Shadow IT report includes not just a list of all the cloud services, but also an impartial rating for each service based on a comprehensive list of security attributes, endorsed by a neutral 3rd party organization. This capability quickly reveals all the high-risk cloud services used within the company. IT can choose to either block these services or coach employees towards an approved alternative.
- Enforce policies across sanctioned cloud services – Shadow IT poses a growing threat, but even sanctioned cloud services can be a threat to data security when they are used outside of policy. For example, a salesperson can download all customer information from Salesforce before leaving the company to join a competitor. The company needs to enforce policies on sanctioned cloud services to ensure alignment with internal standards or industry regulations. A CASB will allow you to easily and quickly enforce policies that protect company data in sanctioned cloud services such as Salesforce, Box and Office 365. Examples of policies include blocking users logging into Salesforce from a certain geography, or restricting users to only preview documents in Box if they are logging in from an unmanaged mobile device. Many companies already have on-prem DLP policies and use CASBs to extend these policies to the cloud. They also use CASBs to run regular scans on their sanctioned cloud services and quarantine suspicious files that are then manually checked or run through their on-prem DLP application.
- Encrypt sensitive data in the cloud – Earlier this year, St. Elizabeth’s Medical Center was fined $218,400 for storing Protected Health Information (PHI) of nearly 500 patients in a cloud-based file sharing application that didn’t have the requisite security restrictions in place. Companies run into a number of compliance issues when employees expose Personally Identifiable Information (PII) and PHI using both sanctioned and shadow cloud applications. This issue can be addressed by encrypting information stored in the cloud. CASBs monitor cloud data uploads and downloads for sensitive information such as Social Security numbers or credit card numbers, and encrypt these on the fly. This encryption also preserves app functionality. For example, Box or Salesforce users are able to search or sort information even when the underlying data is encrypted. So, the company can strengthen compliance while maintaining user experience and productivity.
- Implement a threat detection and response process – According to the Forrester report discussed earlier, breaches of data stored in the cloud are inevitable. Companies can protect themselves by imposing practices and policies to minimize risk, but they should also have a process to detect a breach when it does occur so they can respond immediately. Using threat protection, companies can flag anomalous activities such as multiple logins from different geographies and large data downloads that can indicate a compromised account or insider threat. Timely detection of these threats will allow companies to take remedial actions and minimize the negative impact. When they adopt a cloud service, companies operate on a shared responsibility model, so implementing robust threat protection is important in increasing their preparedness to tackle a security incident.
Security and compliance are the biggest roadblocks to cloud adoption in enterprises. But it is not possible to close the floodgates to cloud services. The substantial increases in productivity that users are seeing by adopting these cloud services means we are in the midst of an unstoppable tectonic shift toward the cloud. Companies are therefore embracing cloud usage while regulating shadow IT by moving away from risky cloud solutions and imposing controls on sanctioned services. As renowned scientist and mediation guru Jon Kabat-Zinn said, “You can’t stop the waves, but you can learn to surf.”