Navigating the Chaos: Security Incident Management in Large Cloud Environments It comes as no surprise; as your SaaS deployment grows, usage, data, and incidents all increase simultaneously. If you’re responsible for security…

Navigating the Chaos: Security Incident Management in Large Cloud Environments

Michael Gleason

I spend my days (and nights) explaining how the strengths of the cloud - high availability, scalability, and interoperability - can help us overcome what is often considered its greatest weakness: security.


CloudLock - Cloud Security


It comes as no surprise; as your SaaS deployment grows, usage, data, and incidents all increase simultaneously. If you’re responsible for security operations in a large environment, managing the ever-growing number of security incidents that fly your way can be daunting – but they don’t have to be.

Better incident management is all about catching all incidents worth investigating, reducing your false rate, and executing an efficient remediation process. Let’s get started with some basic tips you can put to work immediately.

Configure Tight Policies

Why You Need To Do It. Whether you have a DLP solution or not, your process for keeping data secure requires a little care and watering. If you feel like managing incidents in your environment is akin to drinking from a firehose, it’s time to reevaluate your approach.

No one likes false positives – no one.  High false positive rates and undetected security incidents mean more work for you – in the short term, and the long term. It’s not enough to identify content alone – you have to be able to pinpoint security events worth investigating with precision. In order to get your arms around all incidents worth addressing, establish comprehensive policy mapped to your acceptable use policy and relevant compliance regulations.

How to Make It Happen. First, define precisely what sensitive information means to your organization. Is it PCI data? Is it documents containing the word “confidential”? Once you understand this, create smart policies that take into account content elements such as threshold (the number of policy violations in a file or object to create an incident) and proximity (identify content as a match only if a specified pattern is found within a defined acceptable character range). Additionally, consider context factors, such as file ownership, and exposure level for even tighter policy configuration.

Triage to Resolve High-Risk Incidents First

Why You Need To Do It. No matter how tight your policy is and how motivated your security team is, at the end of the day, you’re going to be left with a sizeable pile of incidents to attend to. Triage incidents to reduce a high volume of security events to manageable chunks and resolve high risk incidents first.

How to Make It Happen. For each policy you feed your DLP solution, be sure to categorize a violation on a severity spectrum from low-risk to high-risk. Then, automate, automate, automate to take advantage of these categorizations. For instance, in the event of a high-risk event, be sure your incident management team is notified directly to ensure rapid response.

Work With Your Users

Why You Need To Do It. Let’s be honest – there’s not a single security team in the world bragging about their excess of human resources. Including users in the remediation process translates to a dramatic reduction in incidents, and, consequently, the workload for IT professionals. Bonus: notifying end users when they violate policy and allowing them to remediate incidents themselves educates users and will reduce future incidents, too.

How to Make It Happen. It wouldn’t be all that more efficient if you had to contact the end user every time they violate a policy. Automate this action through your security solution. Want to take it one step further? Tie the response action to the severity of the policy violation.

Before long, your users will be security-savvy, and the number of incidents will naturally reduce. You never know – soon you may even be able to take that vacation day you’ve been looking forward to.

Knowledge is Power

Get started with a free security assessment to find out how secure your domain really is. We will review and audit your organization’s Google Apps environment, as well as of the usage and consumption of third party applications connected to your SaaS applications to:

  • Compare your Security Score for the Google Apps domain and/or Salesforce environment to other customers
  • Provide metrics, considerations, and recommendations that lead to the analysis
  • Recommend actionable next steps for instituting Acceptable Use Policies (AUPs)

Get Started Today!



Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser