Across the globe, Chief Information Security Officers are losing sleep to nightmares born out of security concerns. As some of you may have learned the hard way, high volume NyQuil consumption is not a viable long-term strategy. Here, we discuss the three recurring cloud security nightmares keeping CISOs from a full eight hours – and some tips to overcome them.
The Compliance Nightmare
You’re seated at a conference room table, opposite a severe looking individual wearing a name badge: Auditor. As you begin to open your mouth and ask how you can help, the auditor pulls a comically large stamp out of their briefcase and begins running around the room, stamping “FAIL” everywhere, then asks you to write a check with so many zeroes you’re unsure how to pronounce the number. You scream loud enough to wake the neighbor’s deaf poodle – and your spouse sleepily reminds you to stop reading Franz Kafka before bed.
How Did We Get Here? As corporate data moves into the cloud, compliance regulations follow. Though the regulations themselves vary across verticals, the alphabet soup of compliance mandates impact most organizations, from HIPAA to PCI and beyond. Denial is not a viable approach here.
What Can I Do About It? Security starts with knowledge – monitor data within cloud platforms as well as any SaaS applications enabled with corporate credentials. Be sure to craft policies that account for the compliance concerns idiosyncratic to your vertical – and then feed them to a DLP system capable of inspecting all kinds of cloud data traffic, including cloud-to-cloud. Finally, remediate security incidents to resolve any concerns or compliance conflicts.
The Data Leak Nightmare
This starts out like a normal evening – you made it home after a brutal commute and begin watching the news. But, then, it all goes south – and quick.
The newscaster shares the details of your organization’s top secret plans for the new Battery Operated Battery Installer (never install batteries again!). As you steady yourself against the couch, your phone begins to ring incessantly. Your CEO appears out of nowhere and hands you a packet on job hunting tips and you awake in a cold sweat.
How Did We Get Here? The collaborative nature of cloud applications – beneficial for business – offers users a newfound level of power to create, distribute, and access sensitive data. Whether caused by negligence, human error, compromise via a 3rd party SaaS application (don’t worry – we’ll get to that), or malicious activity, the possibility of externalizing data is very real.
What Can I Do About It? Make sure your security policy is actually enforced through controlling mechanisms. Flag files in the cloud containing sensitive information, and trigger an elevated alert if this file is shared excessively, whether internally, with select external parties, or publicly. Additionally, be sure to educate your users by notifying them when this occurs and offering them the opportunity to remediate the issue.
The Third Party Apps Nightmare
This dream is a bit more abstract. You find yourself sitting on a park bench, with a man wearing a shirt that reads “Productivity-Enhancing App” to your left. To his left, sits another man in a shirt reading “Hacker.” Next to him, yet another man wearing a shirt that reads “Literally Everyone Else in the World.”
You look down to find yourself holding a red rubber ball, labeled “Data.” You feel compelled to hand the ball to the man to your right – after all, he’s here to help. The app man investigates the ball, but is interrupted by the “hacker”, who promptly snatches the ball, inspects it, and casually tosses it to the “Literally Everyone Else in the World” character. “Literally Everyone Else in the World” sprints away, ball in hand. You begin preparing your “we’re going to get through this, honey” speech and updating your resume.
How Did We Get Here? Users are leveraging powerful SaaS offerings in their personal lives and carry this practice into work. These applications improve productivity and employee effectiveness. However, users are often unaware of the extensive permissions requested by the apps – and their potential security implications.
The risk an app poses is determined by its access scope – the capabilities users grant to the app when enabling it within the domain, including the ability to create, manage, delete, and modify files. If the app is counterfeit – or compromised by a hacker – the malicious party may leverage the permissions granted to the app to leak data or alter the environment.
What Can I Do About It? Keep track of 3rd party apps in your environment. Be sure you can explicitly disable or enable specific apps to minimize risk. For instance, it may make sense to allow your marketing team to enable a social media app, but the risk – both in terms of information security and overall user productivity – of allowing it company-wide is too great.
Additionally, rather than waiting for an app to appear in your environment, be sure to define whether new apps are banned or trusted domain-wide by default, or exercise finer control by segmenting automatic classification based on users, OUs, and/or domains. Before whitelisting or blacklisting apps, be sure you’re making an informed decision. Find out which apps are most risky based on their permissions requests (or irrelevant to your business). Last, but not least, communicate with your business partners to ensure you’re enabling them to fulfill their role.
Ready for more?
In our CISO’s Guide to Cloud Security eBook, you will:
- Learn the characteristics and priorities of today’s forward-thinking security leaders
- Obtain actionable guidelines to initialize and execute an effective cloud security program
- Be empowered to bring it all to life with a formula to measure the impact of security efforts in every organization