Bringing Your Enterprise Cloud Usage Under Control
The use of cloud computing and storage services can contain surprises for even the most security-conscious IT departments.
Take, for example, the most recent quarterly "Cloud Adoption and Risk Report" from cloud security vendor Skyhigh Networks. As part of its services, Skyhigh discovers cloud services in use by a company's employees. Using anonymized data across its customer and prospect base, Skyhigh determined that in the second quarter of this year, companies used an average of 738 discrete cloud services.
Now, bear in mind, these are companies diligent enough to already believe it's important to have a vendor check their network for rogue services. And how many cloud services were those IT departments already aware of on average?
"Thirty," says Skyhigh CEO Rajiv Gupta.
Another industry insider, Frank Cabri, has a name for the two groups of cloud apps. "Sanctioned" apps are the small set of cloud services that the IT department knows about and led the implementation for, says Cabri, vice president of marketing at Skyfence Networks Ltd. Those sanctioned services might include Microsoft Office 365 or Salesforce.com or Amazon Web Services (AWS). "Unsanctioned" apps are the ones the business groups or individual users installed without any IT involvement. They could be some of the same apps from the sanctioned list done on the sly or a free file sharing service set up to meet a departmental business need, or the Twitter, Evernote or Yahoo Mail accounts of individual users, accessed on occasion from the company network.
Unsanctioned -- or shadow cloud services, as they've come to be called -- are only one of the new classes of potential security sideswipes that IT departments face in the cloud.
The highest-profile group of new cloud problems with significant implications for IT departments come from governments, as revealed by reports based on the cache of U.S. National Security Agency (NSA) documents provided by Edward Snowden. In a blog post last December, Microsoft General Counsel Brad Smith went so far as to claim that "government snooping potentially now constitutes an `advanced persistent threat,' alongside sophisticated malware and cyber attacks."
Organizations must now seriously consider whether data they store in the cloud would be a potential target for the NSA and other nations' signals intelligence agencies. Then there's the possibility of old-fashioned industrial espionage by foreign governments. One other risk category for data stored at a cloud services provider (CSP) is the possibility that the cloud provider will receive a government investigatory request for your organization's data. A CSP that fails to fight successfully to keep that customer data private and that can access the data often will be prohibited from informing the customer about the request or the data handoff.
Then there are the more traditional security concerns, equally present or sometimes amplified in the cloud. First, there's the issue of the CSP's security procedures. The most recent Skyhigh scan uncovered 3,861 unique cloud services in use during the quarter. Only 9 percent of the services met the Skyhigh Enterprise Ready trademarked security standard. What that means is that many of the CSPs are themselves at risk of compromise by an attacker, putting their customers' data at risk. No matter the CSP's business practice, there's also always the possibility of rogue administrators at the CSP.
Another issue that arises from the use of personal cloud services on the company network is that many users will keep the same passwords for personal and business accounts, meaning that compromised credentials on a consumer service can lead to successful attacks into a corporate system.
None of the alphabet soup regulatory requirements stop at the company firewall, either. Cloud data, known and unknown to the IT department, is subject to the same privacy, security, disclosure and data residency requirements as any of the corporation's other data.
"If you look at most organizations, they don't encrypt information within their environments. If you're going to a major cloud provider and you're encrypting the information and you're keeping the keys separate, that's going to put you in a better position."
Bob West, Chief Trust Officer, CipherCloud
Make It Work
While the cloud risks are real to data, brand and compliance, Gupta identifies another important risk for IT departments. "The further IT gets away from addressing the employee need, the less relevant IT gets in the eyes of users. That's a pretty slippery road," Gupta says.
A lot of cloud service usage arises in the organization because the service meets a need the IT department may not be filling. "What are employees trying to do? If my employees are using file-sharing services, they probably need file sharing. What's the most enterprise-ready, lowest-risk service that I should allow my employees to use?" Gupta says.
Among Skyhigh customers who pivot to that approach of standardizing on a reliable service, Gupta says two surprising things happened. "As they communicated to employees that they understood [their needs], the use of all of the other higher-risk services dramatically went down because the employees [finally had] something to use. The second thing that happened was the employee satisfaction with the IT organization went up. It's taking IT from the guard of the asylum inmates to the guide who says, `Let me help you to do what you want to get done.'"
For similar reasons, Cabri reports that Skyfence users often choose to leverage customized profiles for actions within cloud applications like Salesforce.com rather than a "hardline block" of certain actions. "Sometimes that's not the most graceful approach," he says.
"We understand that they want to get their tasks done, but it may expose security and compliance risks for the company. That's the general trend that we're riding. Companies no longer own the applications, the infrastructure or, often, even the device," Cabri points out.
The Cloud Security Toolbox
IT departments looking to strike that cloud balance between user and organizational productivity and security have a number of tools in the toolbox.
The best known is bring-your-own encryption, the kind that protects data before it gets to the CSP. "One of the top-trending inquiry topics hitting our cloud and security analysts lately are about cloud encryption for AWS and Salesforce.com," James Staten, vice president and a principal analyst at Forrester Research Inc., said in a blog post of cloud predictions for this year. "You can thank the U.S. NSA for popularizing this trend. Clients are asking for recommendations on offerings that encrypt data before it hits the cloud service and lets the enterprise control the keys."
Encryption relies on a complicated brew of technology and organizational policy, however, with many seeming solutions turning out to be "warm fuzzies" that make customers feel good, but may not protect their data. "The important thing for businesses to understand if they really want to have control over their data is that they need to do three things," says Elad Yoran, CEO of Security Growth Partners LLC and former chairman and CEO of cloud security company Vaultive Inc. "They need to ensure that their data is encrypted before it gets to the cloud provider. The second thing is that they need to have control of the encryption keys. Then they need to ensure that the data is always encrypted, meaning in use, as well as in transit and at rest."
Executed rigorously, encryption addresses a host of ills, from an IT standpoint. CSP compromised by attackers? They see only gibberish. CSP gets a National Security Letter from the FBI? The CSP can only hand over the gibberish. The FBI has to come to the customer for the key to decrypt the data. This means the customer knows it's being targeted and can get the lawyers involved in the tried-and-true process of negotiating what gets handed over, Yoran says.
Encryption is no silver bullet, though, warn all the experts. "One thing organizations need to be aware of is that credential theft in many ways is becoming a new attack vector for these cloud apps. Once the bad actor has your credentials, it doesn't matter whether that data is encrypted or not," Cabri says.
Because of that, encryption must be paired with several other technologies. One is effective authentication -- be it single-sign-on or two-factor authentication or some other password policy solution. On the other end is policy enforcement. "Say a user usually logs in from the Bay Area. Now they're logging in from Russia with a different end point than we've ever seen," Cabri says. "We can block access based on policy."
Auditing tools are also important and several are emerging to address the unique problems of the cloud -- where a good portion of the audit trail is dark because it passes through the black box of the CSP.
A Better Risk Posture
Although an entire cluster of cloud security companies are emerging to face the challenging new security threats, their attitudes are far from gloomy about the possibility of security in the cloud.
Bob West, chief trust officer at CipherCloud, contends organizations that enter the relationship with cloud providers with their eyes open may actually be able to achieve better security than they had previously. On the one hand, vendors such as Google Inc. and Microsoft are making serious efforts to improve datacenter security, due to pressures and revelations stemming from the NSA reports.
"If you look at most organizations, they don't encrypt information within their environments," says West. "If you're going to a major cloud provider and you're encrypting the information and you're keeping the keys separate, that's going to put you in a better position. If an adversary understands your IP range, they know where the targets are. In a multi-tenant environment, that's much more difficult. I think you have a better risk posture there."
Scott Bekker is editor in chief of Redmond Channel Partner magazine.